Chapter 3 - Key issues
3.1
This chapter examines the main issues and concerns raised in the course
of the committee's inquiry. Submissions to the inquiry were generally
favourable to the Bill, especially the desirability of a single comprehensive
legislative regime dealing with access to telecommunications information.[1]
3.2
Two submissions, from Electronic Frontiers Australia (EFA) and the
Australian Privacy Foundation (APF), suggested that the Bill is so flawed that
it should not be passed. These organisations focused on privacy implications
of the new regime for access to telecommunications data. Several organisations
recommended the Bill be passed with minor amendments, many of which involve
limiting the language of various definitions in the Bill.
3.3
The main issues raised include:
- the definition of key terms such as 'enforcement agency' in the Bill;
- the lack of a definition of 'telecommunications data';
- privacy concerns, particularly in relation to access to
prospective telecommunications data and the impact of the secondary disclosure
provisions on police officers;
- the obligations on telecommunications companies;
- concerns about whether the amendments meet the need to protect
critical infrastructure; and
- the mechanisms for reporting, oversight and review.
Consultation
3.4
The amendments in the Bill were the subject of a consultation process run
by the Attorney-General's Department.[2]
An officer of the Department outlined the consultation undertaken:
[W]e developed the draft legislation in close consultation with
Commonwealth government agencies. That was an internal consultation process. We
released the exposure draft of the bill in February [2007] and we received 32
submissions addressing the various provisions. To follow up on that we also had
a number of meetings and conversations with industry groups and various
submitters to work through some of the issues that they raised. Quite a few of
the issues that they have raised have resulted in amendments between the
exposure draft and the [bill] that was subsequently introduced.[3]
3.5
The Office of the Privacy Commissioner (OPC) noted that 'a number of the
issues raised in our previous submission have been addressed in the Bill and
Explanatory Memorandum'.[4]
Similarly, Mr Chris Althaus of the Australian Mobile Telecommunications
Association (AMTA) commented at the hearing that:
There was over an extended period a high degree of interaction
with the industry. We had a number of concerns particularly in relation to
standards and powers within the exposure draft. We were able to put an argument
forward, the government listened to that, and that was an important amendment
in our view. In many respects it was the most important amendment that came
forward.[5]
Definitions
Definition of 'enforcement agency'
3.6
EFA submitted that CrimTrac should be deleted from the definition of
'enforcement agency' on the basis that it is not a criminal law enforcement
agency or an agency that conducts investigations.[6]
EFA was also concerned that the inclusion of CrimTrac in the definition of
'enforcement agency' would give CrimTrac access to stored communications
warrants under section 110 of the TIA Act.[7]
3.7
The Law Council of Australia (Law Council) expressed concern at the
inclusion of paragraph (k) in the proposed definitions of 'enforcement agency'
and 'criminal law-enforcement agency'. This provision allows an authority
established under a Commonwealth, state or territory law to be added to these
definitions by regulation. The Law Council was particularly concerned that this
would allow delegated legislation to expand the range of agencies which will be
able to authorise access to prospective telecommunications data:
The Law Council believes that the practice of reserving to the
Executive the power to expand definitions of this nature, which are crucial to scope
and operation of the TIA Act, is of great concern. No reason has been provided
for why the efficient operation of the TIA Act requires the sort of flexibility
afforded the Executive under paragraph (k).[8]
Departmental response
3.8
In relation to the inclusion of CrimTrac in the definition of
'enforcement agency', an officer of the Department advised:
[CrimTrac] are an enforcement agency in terms of
telecommunications data. That is an existing provision under the
Telecommunications Act...At this stage we have transferred over the agencies
provided within the definition of 'enforcement agency' under the
Telecommunications Act and we are looking to see whether or not it is
appropriate that they continue to be within that definition. Until such time as
we can actually establish that it is not appropriate, we have not removed them.[9]
3.9
The Department explained further:
The inclusion of CrimTrac in the definition of an enforcement
agency in the TIA Act will not in itself allow CrimTrac to access stored
communications. Stored communications may only be accessed by an enforcement
agency where they have satisfied an issuing authority that the information that
would be obtained would likely assist in connection with the requesting
agencies investigation of a serious contravention, being an offence punishable
by imprisonment for a maximum period of 3 years.
As CrimTrac's functions do not include the investigation of any
offences, they will not be eligible to be issued with a stored communications warrant.[10]
3.10
On the issue of the power to expand the definitions of 'enforcement
agency' and 'criminal law-enforcement agency' by regulation, the Department
responded:
The regulation making provision is a direct transfer from the
Telecommunications Act which provides for an agency to be prescribed as a 'criminal-law
enforcement agency'. While there are no agencies currently proposed to be
prescribed, the regulation making power will allow the inclusion of agencies
where their investigative functions change to the extent that access to
prospective information becomes necessary.
For example, the Australian Customs Service and the Australian
Securities and Investment Commission currently have access to historical data.
If the nature of their investigative functions change to the extent that it is
considered appropriate for them to receive telecommunications data in near-real
time, they may be prescribed under paragraph 5(1)(k) of the TIA Act.[11]
Meaning of 'telecommunications data'
3.11
There is no definition of 'telecommunications data' in the Bill. Instead,
proposed section 172 prevents the provisions which permit the disclosure of
telecommunications data from applying to the 'contents or substance of a
communication'. Subject to this limitation, the provisions in Chapter 4 then
authorise access to 'information or a document'.
3.12
In its comments on the Exposure Draft of the Bill, OPC suggested that
the distinctions between 'information or a document' and 'contents or
substance' may be difficult to discern in some cases and called for further clarification,
given that the prohibitions against disclosure in the TIA Act attract a serious
penalty.[12]
OPC welcomed the inclusion in the EM of material to clarify the distinction
between call data and the content of a communication.[13]
3.13
However, the APF and EFA felt that these changes did not go far enough
and expressed particular concern about the potential to access information
about web browsing and chat room sessions, and email header data as
telecommunications data.[14]
APF argued:
We are very disappointed that such a fundamental revision of the
relevant provisions has missed the opportunity to more clearly define what is
meant by key terms such as 'telecommunications data' and 'content or substance'.
This creates unacceptable ambiguity and uncertainty about the 'reach' of the
various powers and protections. It also leaves open the possibility that very
sensitive information such as mobile phone location data, email message headers
and various Internet logs would not be considered 'substance or content' or stored
'communications', and would therefore be subject not to the TIAA warrant
controls but to the much weaker protection applying to 'authorisations'...We
submit that a much clearer legislative distinction between 'traffic data' and 'substance
and content' is required.[15]
3.14
Similarly, EFA suggested that the distinction between the content or
substance of a message and other data was particularly unclear in relation to
email header data:
In our view the subject line is part of the content of a
message, but existing legislation is silent on this matter and it cannot be
known whether the same view would be held by all carriers and enforcement
agencies. Furthermore, email messages can carry significantly more...information
in the header section than is equivalent to 'traffic information' associated
with telephone calls. For example, some (probably most) email programs enable
the end-user to create their own special header fields in outgoing messages, in
which they can place any information they wish.[16]
3.15
As a result, EFA suggested that clarification of the distinction between
data and content in relation to email messages should be included in the Bill.[17]
3.16
EFA further argued that the Bill should be amended so that access to
information regarding Internet sessions would only be permitted under a stored
communications warrant.[18]
EFA submitted that the data which may be captured in relation to Internet
sessions is qualitatively different to telecommunications data about telephone
calls and email messages:
Surveillance of web browsing
activities is akin to filming individuals' activities in a manner that records
every item they purchase in shops, every film they see at the cinema or hire or
buy, every book and magazine they glance through and/or purchase or take out on
loan from a library and so on. Furthermore, unlike 'telecommunications data'
about telephone calls and email messages, the address of a web page often, of
itself, provides information about the content or substance of the
communication and web page addresses can be used to obtain access to the
content that was communicated.[19]
Departmental response
3.17
The Department advised that there was no intention to insert a
definition of 'telecommunications data' into the Bill and explained:
Our concern about defining what technology and call associated
data may be now [is that the definition] might be redundant in 12 months time.
Essentially we rely on the premise that the contents and substance of a
communication are protected and are only accessible under a TIA warrant, an
interception warrant or a stored communication warrant, and it is the other
information that attaches to a communication but does not disclose the contents
or the substance of that communication that is the associated data. One of the
points of bringing this all into one piece of legislation is the hope that by
having the three limbs together it will be clearer when advising law
enforcement and the carriers on what exactly is content and what is call
associated data as new technologies come into place.[20]
3.18
The EM states that the subject line of an email or details of Internet
sessions are not captured as 'telecommunications data'.[21]
At the hearing, an officer of the Department clarified what information would
be captured as telecommunications data in relation to web browsing:
In relation to getting call-associated data regarding an IP
[Internet Protocol] address that can identify a web page, that is not content
because all it does is tell a law enforcement agency that a certain target went
to a certain website. It does not tell them any other details. It does not tell
them that they then went into their bookings online or via their travel agent
or that they downloaded particular information. It does not give them any
knowledge of the substance as to why they were on that web page. URLs [Uniform
Resource Locators] are a little different because they will then point out the
continuum of where the person actually went to.[22]
3.19
The Department went on to argue that URL data was equivalent to a
telephone number in terms of the information provided:
With regard to web URLs—or URIs [Uniform Resource Identifiers]
—and how an apparatus finds that on the Internet, I will go back to the analogy
of when we used to make telephone calls; if we had call charge records we would
have a list of numbers that a person called but it does not show content...If
an officer wants to phone those numbers and find out what they are they could
ring them systematically. It is the same with a computer. When they go and
click that button to search that URL, it is the same thing.[23]
3.20
The Department also responded to EFA's concerns that email header data
may be captured as telecommunications data:
EFA in their submission provided an example that relates to
user-defined 'headers' to email messages. EFA states that whilst headers
generally do not contain personal information or content, there is the capacity
to include information in headers which are defined by the user. They argue
that there is therefore confusion as to whether this information is considered
data or content.
The EFA rely on an Internet Engineering Task Force (IETF)
standard referred to as Request for Comment (RFC) 822. This is an obsolete
standard that was superseded in 2001 by RFC 2822 and the relevant header fields
stated by EFA cannot be found in the current standard. RFC 2822 also states
that these obsolete fields 'MUST NOT be generated'.[24]
Privacy concerns
3.21
Several submissions raised concerns regarding the impact the Bill would
have on privacy, in particular the provisions relating to access to prospective
telecommunications data and to secondary disclosure of data.
Access to prospective telecommunications data
3.22
EFA expressed concerns about the potential use of real time access to
telecommunications data to track individuals using data obtained from mobile
telephones. EFA stated, in relation to prospective data, that:
New technologies such as Assisted GPS, reportedly expected to be
introduced in Australia by some carriers in 2007 or 2008, will greatly improve
the accuracy of mobile phone location information. Access to 'prospective'
location information enables not only identifying/tracking location but
potentially real world, real time, surveillance of a tracked individual's
activities.[25]
3.23
EFA therefore submitted that access to prospective mobile telephone data
should be subject to more stringent control than authorisation by certain
officers in ASIO or a criminal-law enforcement agency:
[W]e are very concerned that this bill will enable tracking of
people via mobile phone location information without a warrant, which is
basically further extending the definition of 'telecommunications data'...This
bill appears to have the specific purpose of allowing law enforcement agencies
to use a person's own tracking device that they carry with them all of the
time. Because it is a device that can be used to track a person without the
need to covertly install a tracking device on a person's property or body, we
believe that there is considerably more potential for misuse of these new
powers. We are strongly of the view that for that kind of information to be
collected in near real time, because it will enable physical visual of track
people, a warrant should be required similar to the existing surveillance
device warrants in the Commonwealth and the various states, or with similar
conditions attached as the stored communications warrants.[26]
3.24
The Law Council acknowledged that the Bill places greater controls on
access to prospective telecommunications data (under proposed sections 176 and
180) than access to existing data (under proposed sections 175, 178 and 179).
However, the Law Council considered that these controls do not go far enough.[27]
The Law Council also argued that criminal
law-enforcement agencies should require a warrant in order to access
prospective telecommunications data and thus use a person's mobile telephone as
a tracking device:
The Law Council recognises that under Section 39 of the
Surveillance Devices Act 2004, law enforcement officers are already able to use
a tracking device without a warrant in the investigation of a federal offence
which carries a maximum penalty of at least 3 years. This is provided that
written permission is received from an 'appropriate authorising officer' and
installation and retrieval of the device does not require entry onto premises
without permission or interference with the interior of a vehicle without
permission.
Nonetheless, the Law Council believes that the ease with which
telecommunications data may be used to track a person, as compared to the
difficult of secretly affixing a physical tracking device to a person or thing,
renders proposed s 180 far more amenable to misuse or overuse by law
enforcement agencies than existing provisions in the Surveillance Devices Act
2004.
It is on that basis that the Law Council believes that access to
prospective telecommunications data should require a warrant.[28]
3.25
The Queensland Council for Civil Liberties also expressed concern that
the Bill would allow mobile telephone location information to be disclosed
under a written authorisation for a period of 45 or 90 days without the need to
obtain a warrant.[29]
Departmental response
3.26
The Department noted that the Telecommunications Act already provides
for enforcement agencies to access prospective telecommunications data:
Access to prospective data already exists under the current
regime. In moving it over to the TIA act, we have acknowledged that there are
two accesses under section 282 of the act—that is, historical data and
information in real time.[30]
3.27
In response to concerns about the privacy implications of access to
prospective data from mobile telephones, the Department argued that the new
regime imposes more stringent requirements for access to prospective data:
From our perspective that is addressed by the fact that we have
acknowledged that there is potentially a greater breach of privacy if a person
can access prospective data, and that is why we have separated it out from
historical data. We have placed a time limitation on it. We have also limited
the agencies that can access this information to criminal law enforcement and
national security agencies, and we have made it an offence that is punishable
by three years, which is consistent with the surveillance devices legislation.[31]
Secondary disclosure provisions
3.28
The Police Federation of Australia (Police Federation) held concerns
regarding how proposed section 182 may impact on the privacy rights of police
officers, especially those involved in disciplinary proceedings.[32]
Proposed section 182 would allow the secondary disclosure and use of telecommunications
data where the disclosure is reasonably necessary 'for the enforcement of a law
imposing a pecuniary penalty'. At the hearing, Mr Mark Burgess of the Police
Federation explained that:
the disciplinary offences applicable to most police jurisdictions
are found within state and territory legislation and have provisions for
pecuniary penalties by way of fines even for very minor matters.[33]
3.29
Mr Burgess gave further evidence that:
We are concerned that the bill will give the ability to disclose
information, as limited as it might be, which will therefore allow people to
undertake fishing expeditions for further information that they might think
they can gather, and when they might not have been aware of any of this in the
first place. This is not about preventing appropriate use of this legislation
or this bill to target police officers undertaking criminal or corrupt
activities. Our concern centres around the prospect of it being used in respect
of what all of us in this room would consider to be minor disciplinary issues.
Because the relevant legislation that underpins those disciplinary issues has
provisions for monetary penalties, they will be picked up.[34]
3.30
The Police Federation argued that the definition of 'pecuniary penalty'
in the Bill should be narrowed or the reference deleted. In the alternative,
the Police Federation submitted that the secondary disclosure provision should
exempt police disciplinary proceedings.[35]
3.31
On the other hand, the NSW Ombudsman argued that the current
restrictions on secondary disclosure are too narrow and that secondary
disclosure of telecommunications data to the Ombudsman to support its role in
investigating police misconduct should be permitted.[36]
The Western Australian Police also supported allowing secondary disclosure of
telecommunications data, such as call charge records, for the purpose of police
disciplinary proceedings.[37]
Government response
3.32
The Police Federation submitted correspondence from the Attorney-General
which explained that the bill 'permits the secondary disclosure of information
to an agency in circumstances where the receiving agency would itself have been
able to access the information directly from the carrier.'[38]
The Attorney-General also noted that the meaning of 'pecuniary penalty' is
'limited to specific monetary penalties set out in relevant legislation and
imposed by a court. The term does not include administrative sanctions that may
have a financial impact, such as for example, a demotion'.[39]
3.33
The Department gave further evidence regarding the difficulties involved
in excluding police disciplinary proceedings which impose a pecuniary penalty
from the operation of proposed section 182:
In general terms it would not be appropriate to exclude
pecuniary penalties overall. Obviously under some of the individual state and
territory police acts some of the pecuniary penalties that would trigger the
secondary disclosure provisions would be quite serious. Given that 'pecuniary
penalty' is a fairly broad term, the alternative would be to try to insert more
detailed definitions that relate and encompass all those different state and
territory police acts. Before we did that we would need to consult closely with
each of the state and territory police commissioners. It should also be said
that, because the definitions in question that are giving the Police Federation
trouble are in the state and territory legislation, our view is that it is
probably better that they deal with it as a matter under the state employment
legislation.[40]
Consideration of privacy implications
3.34
Privacy NSW commented favourably on the requirement in proposed
subsection 180(5) for an authorised officer to have regard to likely
interference with the privacy of individuals when giving authorisation for
access to prospective telecommunications data.[41]
Privacy NSW suggested proscribing (by way of regulation or similar) a
requirement to have each enforcement agency (to whom authorising officers
belong) develop guidelines on how the privacy implications of an authorisation
should be considered and documented.[42]
3.35
OPC made a similar recommendation that authorised officers be provided
with practical guidance, in the form of a note to the Bill or detail in the EM,
to assist them in discharging the obligation in proposed subsection 180(5).[43]
3.36
Privacy NSW and OPC also made recommendations regarding proposed
paragraph 189(4)(c) which provides that the Minister, before making
determinations in relation to interception capabilities, must take into account
the privacy of the users of telecommunications systems.[44]
In particular, OPC suggested:
...the inclusion of a note to the clause, or in the explanatory
memorandum, which provides guidance about how the privacy of telecommunications
users will be taken into account in the making of the determination.[45]
3.37
In the same vein, NSW Council for Civil Liberties welcomed the inclusion
of privacy as a consideration in proposed sections 180, 183 and 189 but
suggested that there should be 'further elaboration of this requirement in the
Bill by way of substantive requirements for protection of privacy.'[46]
Departmental response
3.38
The Department noted that the issue of providing further guidance on the
consideration of interference with privacy under proposed subsection 180(5) had
been raised during consultation on the Exposure Draft and advised that:
The Government did not agree with the recommendation to include
further legislative guidance on consideration of privacy. Consideration of
privacy issues will vary enormously according to the unique circumstances of
each situation. In particular, this may include the relationship between the
seriousness of the offences being investigated, the value of information likely
to be obtained, and the extent to which accessing this information would, in
the circumstances, breach an individual's privacy.
However, these are matters that the CAC [Communications Access
Coordinator] may wish to address in the procedural requirements provided for in
new section 183.[47]
Destruction of data
3.39
Proposed sections 174 and 177 deal with voluntary disclosures of
telecommunications data to ASIO and enforcement agencies by employees of a
carrier or carriage service provider. OPC suggested that these provisions
include:
...positive obligations on law enforcement agencies to destroy
irrelevant material containing personal information collected under these
provisions together with information which is no longer needed by such law
enforcement agencies and to do so in a timely manner.[48]
Departmental response
3.40
The Department advised in relation to this suggestion that:
The Government will consider this recommendation, but notes
reservations about the need for such an amendment. [49]
3.41
In particular, the Department suggested an amendment may not be required
due to the limitation that proposed section 181 would place on the use
of data lawfully disclosed under the TIA Act:
[T]he limitation on the use of information under section 181
means that information can only be used in relation to a lawful disclosure of
telecommunications data, and that the use is in connection with that lawful
disclosure. This means that telecommunications data which is irrelevant to a
criminal investigation cannot be lawfully used. It is our view that this
provision provides an equal protection as the need to destroy irrelevant
information.[50]
Obligations on carriers and carriage service providers
3.42
While submissions from the telecommunications industry generally
supported the Bill, they suggested minor amendments to the provisions relating
to obligations on telecommunications companies.
Communications Access Coordinator
3.43
AMTA suggested amendments to proposed section 6R to require the CAC to
act in accordance with the objects and regulatory policy of the
Telecommunications Act in the performance of his or her duties under Chapter 5
of the TIA Act.[51]
Mr Chris Althaus of AMTA noted:
The Communications Access Coordinator role seems to be one that
is particularly pivotal and we would like to see the objectives of the
Telecommunications Act picked up by the CAC...[52]
3.44
Vodaphone also considered that the replacement of the existing
provisions regarding 'agency coordinator' in the Telecommunications Act with
the new provisions establishing the CAC in the TIA Act resulted in:
...a lack of guidance afforded to the role of Communications
Access Co-ordinator in the conduct of its functions where previously there
existed at least some degree of clarity. This arises as a result of the removal
of provisions under the Telecommunications Act 1997 that mandated that
certain objects of the legislation were to be borne into account in the exercise
of these Co-ordinator's functions.[53]
Departmental response
3.45
An officer of the Department gave evidence that the amendment proposed
by AMTA to the definition of the CAC was unnecessary:
The objects of the Telecommunications Act are picked up under
several of the powers of the Communications Access Coordinator...The role of the
CAC is to make decisions on behalf of law enforcement—national security—in
relation to particular things, so we are not sure that it would add anything.
The definition, except for the change of the name from the agency coordinator,
is exactly as it has been since 1997 and it has worked extremely successfully.[54]
Delivery points
3.46
AMTA and Telstra expressed concerns regarding the factors ACMA will take
into account when determining delivery points under proposed subsection 188(6).[55]
AMTA explained that:
...meeting the Delivery Capability requirements often involves the
installation of specialised equipment for this purpose. In practical terms, the
location of a delivery point will be affected by the physical location of
equipment performing the Delivery Capability function. Therefore, the factors
to be considered in determining Delivery Points should also take account of the
location of any equipment performing Delivery Capability functions.[56]
Departmental response
3.47
In evidence to the committee, the Department noted that proposed section
188 did not alter the existing arrangements under the Telecommunications Act in
relation to delivery points. The Department also explained that, under proposed
section 188, carriers will nominate delivery points in the first instance.[57]
It is only where a carrier and an interception agency cannot agree on a
delivery point that ACMA will be required to make a determination under
proposed subsection 180(5).
Interception capabilities
3.48
AMTA and Telstra objected to the definition of 'interception capability'
in proposed subsection 187(2).[58]
In particular, AMTA was concerned that:
...the proposed definition includes any equipment connected to a
telecommunications network. Provision of services in an Internet environment
involves use of a variety of separate components that are clearly defined in
the Telecommunications Act 1997, including customer equipment, carriage
services, that is, the carrying of Internet 'packets' across networks and
Internet applications and content services, such as instant messaging and web
hosting. For the most part Internet applications, content services and customer
equipment can be independent of the Carrier or CSP [Carriage Service Provider].[59]
3.49
AMTA suggested changes to the definition in proposed subsection 187(2)
to provide that interception capability is not required in relation to
'customer equipment', or equipment supplying a 'content service', as these
terms are defined in the Telecommunications Act.[60]
3.50
Vodaphone also submitted that:
Some clarification may be required in the area of converged
services with the apparent grouping and classification of Internet content
services and applications onto the existing responsibilities of Carriers and Carriage
Service Providers. These obligations appear to be imposed without adequate
consideration given to the nature of proprietary applications and attention to
the inability of Carriers to apply operational control over such matters as
third party equipment.[61]
Departmental response
3.51
The Department explained that where equipment is not within the control
of carriers they will not have an obligation to provide interception
capability. However, an officer of the Department noted:
AMTA were talking about customer premise equipment and they
referred to the Telecommunications Act. Within the Telecommunications Act 'customer
premise equipment' refers to the equipment that resides within the premise of
the customer—for example, mainframes, network terminating units, routers and
switches. They gave examples of how in the new technology age these are
becoming less in control of the carrier. In our view in some cases in the
industry they manage or remotely manage those routers, switches or mainframes.
Therefore, we believe with regard to the definition under the act that the
physical location does not dictate whether or not the equipment is under the
control of the carrier.[62]
Interception capability plans
3.52
Proposed section 196 requires carriers to develop interception capability
plans (ICP) and proposed section 195 sets out matters that must be included in
the plan. AMTA submitted that proposed section 195:
...significantly expands the factors that must be included in an
Interception Capability Plan to include 'or a change in marketing or pricing of
services'. AMTA is concerned that this section 195 will place a significant
burden on carriers and CSPs [carriage service providers] to submit updated
plans to the CAC each time a price change is made or marketing campaign is launched
for each product service.[63]
3.53
Proposed paragraph 195(2)(f) and proposed subsection 195(4) would permit
the Minister to determine additional matters that must be dealt with by an
interception capability plan. Telstra expressed concern that this may allow the
Ministerial determination to expand the scope of a carrier's interception capability
obligations. It suggested that proposed subsection 195(4) should be amended to
clarify that any matters specified by the Minister to be included in the
interception capability plan should only relate to matters relevant to a
carrier's interception capability obligations.[64]
Departmental response
3.54
In response to a question on notice, the Department rejected AMTA's view
that proposed section 195 significantly expanded the matters that must be addressed
in an interception capability plan:
These provisions are consistent with the current provisions in
the Telecommunications Act. The guidance provided in the EM lists a number of
factors that are likely, if implemented, to effect interception capability. The
particular reference in the EM to changes in marketing or pricing of services
is referring to instances where a carrier may offer free services or undertake
major marketing campaigns with an expectation of substantially increasing their
customer base, which is likely to have an impact on the ability to provide
interception capability.[65]
3.55
In relation to Telstra's concern that proposed subsection 195(4) would
permit the Minister to expand the matters to be dealt with by an interception
capability plan beyond matters relevant to a carrier's interception capability
obligations, the Department advised that:
Any determination made by the Minister would necessarily be
restricted to interception capability obligations as defined by the TIA Act or
in accordance with any interception capability determinations made under
proposed section 189 of the Bill.[66]
Exemptions
3.56
The Communications Access Coordinator (CAC) may grant exemptions to
interception capability obligations under proposed section 192. Under proposed
subsection 192(5), a carrier will be deemed to have an exemption where the
carrier has applied in writing to the CAC and the CAC has not communicated a
decision on the exemption application within 60 days of the application. Proposed
subsection 192(6) provides that a deemed exemption only has effect until the
CAC communicates to the carrier a decision on the exemption application.
3.57
Mr Michael Ryan of Telstra explained industry concerns with the
operation of deemed exemptions:
[F]rom our point of view the CAC has 60 days to consider an
exemption application, and it is deemed after 60 days that you have got an
exemption. The problem is that CAC can come back and say you no longer have
that exemption, which then leaves us in a state of uncertainty as to what we do
with those applications...It makes it very uncertain in terms of delivering
advanced services to customers if there is no time line or dead end to the
deemed period.[67]
3.58
AMTA argued that there should be a time limit of 180 days on the refusal
of an exemption by the CAC under proposed subsection 192(6) unless the CAC
could establish that a demonstrated agency need for interception exists.
Alternatively, AMTA suggested that this provision should be repealed.[68]
Departmental response
3.59
The Department advised the committee that, in practice, this issue was
unlikely to arise as in the last two years no exemption application had
required more than 60 days to reach a decision.[69]
The Department also noted that:
The situation is such that when any application for exemption is
made, if it is a complex one—if there is a potential that an exemption will not
be granted—we engage immediately with the provider so that there will be no
potential surprises. We try to work with them to come up with a solution if we
believe that they strongly need interception capability...[W]e seek that the
providers ask for an exemption from their capability prior to the rollout of
that service, because we do not want to slow down the rollout of services...We
do not ask them to retrofit; we ask them to talk to us in advance of rolling
out a service.[70]
Ministerial determinations
3.60
Telstra expressed concern about the Minister's power to make
determinations in relation to interception capability under proposed section
189 and, in particular, the range of factors the Minister would be required to
consider before making a determination. In response to a question on notice,
Telstra stated that:
...the section should be broadened to require the Minister to take
into account the effect of the determination on the ability for new and
innovative products to be introduced into the Australian market, as well as on
existing products and services in the market (which includes the costs
implications of making existing products/services compliant with the subsequent
determination).[71]
3.61
Telstra explained further:
In terms of new and innovative products and services, there may
be various issues which make it extremely difficult or impossible to provide an
interception capability. For instance, the Minister may issue a determination
which requires industry to intercept a new or innovative product/service which
may be hosted overseas where the overseas product vendor is unable to provide
interception capability due to jurisdictional and/or technology constraints.
In this scenario, it may result in the new and innovative product/service not
being able to be made available in Australia.[72]
Departmental response
3.62
The Department noted in evidence to the committee that the Minister
would be required to consider the objects of the Telecommunications Act in
making determinations in relation interception capabilities.[73]
The EM explains that the objects of the Telecommunications Act include:
...the provision of a regulatory framework that promotes the long
term interests of end-users of carriage services, or of services provided by
means of carriage services; and the efficiency and international
competitiveness of the Australian telecommunications industry.[74]
Other issues
Network protection
3.63
Subsection 5F(2) and 5G(2) of the TIA Act currently provide the AFP with
exemptions for the purposes of network protection and enforcing professional
standards. Schedule 2, Items 11 and 12 would expand the current
exemptions for the AFP to cover Commonwealth agencies (AFP, the Australian Commission
for Law Enforcement Integrity and the Australian Crime Commission), security
authorities (ASIO, the Department of Defence, the Department of Foreign Affairs
and Trade) and eligible authorities of a state (police forces and integrity
commissions), all of which are defined in subsection 5(1). These provisions
will enable those agencies to monitor inbound and outbound communications for
the purpose of enforcing professional standards and protecting their networks without
the risk of breaching the TIA Act.[75]
3.64
However, the Inspector-General of Intelligence and Security (the IGIS)
questioned whether the coverage to allow network administrators in certain
agencies to protect network infrastructure is wide enough:
While one can well understand the need for adequate protection
of the agencies which directly protect obvious national security interests (ie
Australia's defence, security, international relations or law enforcement), the
question also arises as to whether there is other network infrastructure the
protection of which is also of particular importance to Australia's interests.[76]
Departmental response
3.65
The Department responded to a question on notice on this issue:
The Department recognises that a number of agencies across the
public and private sector need to ensure the security of their networks. The
Department is also aware that changing technologies have made the existing
provisions of the TIA Act increasingly at variance with the ways in which
networks operate. As such, some legitimate network protection activities may
result in technical breaches of the TIA Act.
The current and proposed exemptions represent an interim measure
to provide protection for those agencies that require the highest levels of
network security. The Department is currently working on a permanent solution,
which needs to take into consideration developing technologies and threats,
systems administration procedures and workplace privacy.[77]
Oversight
3.66
The IGIS noted there may be a role for his office in monitoring authorisations
to access prospective telecommunications data by ASIO officers. The IGIS
suggested that these authorisations should be examined as part of the IGIS
inspection program:
This would involve periodic visits by my staff during which they
would review all of the authorisations granted in the preceding period to
ensure that there was sufficient justification and that requirements imposed by
the Communications Access Coordinator under the proposed section 183 were met.[78]
Departmental response
3.67
The Department agreed with this suggestion and argued that the existing
jurisdiction of the IGIS under the Inspector-General of Intelligence and
Security Act 1986 would allow him to perform this role:
The IGIS has access to all of ASIO's records and staff and may
enter the agency premises at any time. Importantly, the IGIS has the power to
inquire into public complaints, conduct inquiries referred by Government, and
initiate inquiries. The IGIS regularly undertakes compliance inspections of
ASIO's records and reports on his findings in the IGIS Annual Report.
Accordingly, the Department considers that the IGIS already has
the necessary jurisdiction to oversight ASIO's use of the prospective data
regime.[79]
Review
3.68
On the issue of periodic reviews of the TIA Act, OPC submitted:
...the operation of the Interception Act should be subject to
overall independent review including key stakeholder and public consultation at
least every five years.[80]
Departmental response
3.69
The Department did not accept that the TIA Act should be the subject of
a mandatory statutory review process:
The Government does not agree to a requirement mandating formal
review in this way. As the experience of the past ten years demonstrates, the
legislation is subject to near constant operational review, leading to regular
legislative amendments and associated Parliamentary and public scrutiny,
including through Parliamentary Committee inquiries. This has included formal
reviews of the regime governing interception and industry obligations to assist
that were undertaken by Mr Pat Barrett, Mr Dale Boucher, Mr Peter Ford, Mr Tom Sherman
and Mr Anthony Blunn, as well as five Senate Committee legislative inquiries.
As such, any mandatory statutory review process is unnecessary.[81]
Committee view
3.70
The committee is satisfied that extensive consultation has occurred
between the Department, the telecommunications industry, law enforcement and
security agencies, and other interested parties. The committee, like many of
these parties, welcomes the further implementation of recommendations made in the
Blunn Review by the Bill, including establishment of a single comprehensive
legislative regime dealing with access to telecommunications information.
3.71
The committee acknowledges that consultation between the government and
the telecommunications industry is crucial to ensure that interception
capabilities support the legitimate requirements of enforcement agencies
without unduly impinging on the services provided by carriers and carriage
service providers. While some submissions argued for formal requirements for
consultation to be embedded in the Bill, the committee considers that
continuation of the existing arrangements for consultation between government
and industry are likely to be just as effective and considerably more flexible.
3.72
In the absence of any justification for the inclusion of CrimTrac in the
definition of 'enforcement agency', the committee considers that CrimTrac
should be removed from the definition. The inclusion of agencies in this
definition provides agencies with intrusive powers so the default position
should be that agencies are excluded, unless a positive justification for their
inclusion is forthcoming.
3.73
The committee believes that the suggestion that further guidance be provided
to assist authorised officers in assessing the privacy implications of
authorising access to prospective telecommunications data, as required by
proposed subsection 180(5), is a constructive one. However, the committee is
mindful of the Department's concerns that seeking to provide that guidance
within the Bill is likely to be impractical given the range of circumstances
confronting officers weighing these issues. The committee notes the
Department's advice that privacy issues may be addressed through the
determination of the CAC under proposed subsection 183(2) regarding the formal
requirements for authorisations and notifications. The committee recommends
that the CAC determination under that provision should address procedural
requirements in relation to the consideration and documentation of privacy
issues. In making this recommendation, the committee is mindful that proposed
subsection 183(3) will require the CAC to consult with the Privacy Commissioner
before making such a determination.
3.74
The committee supports the suggestion made by the IGIS that oversight of
access to prospective telecommunication data by ASIO should form part of his regular
inspection program. The committee notes advice from the Department that the
existing powers of the IGIS would permit such inspections.
3.75
The Senate Legal and Constitutional Legislation Committee previously
recommended an independent review of provisions inserted in the TIA Act by the
Telecommunications (Interception) Amendment Bill 2006.[82]
The committee believes that in light of the complexity of the legislation, its
acknowledged impacts on privacy and the potential for significant changes in
technology to substantially alter the reach and affect of provisions in the
Act, an independent review of the TIA Act in the next five years is highly
desirable. In particular, such a review would provide an opportunity to examine
further the issues of:
- whether there is a need to define 'telecommunications data', or
whether the distinction between 'content and substance' and other information
and documents operates effectively;
- what impact further technological developments have on the
operation of the TIA Act; and
- whether any of the obligations imposed on carriers and carriage
service providers are unnecessarily hampering the efficient delivery of
telecommunications services, including the introduction of new services.
3.76
The committee accepts the view of the government that it is unnecessary
to amend the Bill to require such a review.
Recommendation 1
3.77
The committee recommends that proposed paragraph 5(1)(m) of the Bill be
deleted to remove CrimTrac from the definition of 'enforcement agency'.
Recommendation 2
3.78
The committee recommends that the determination of the Communications
Access Coordinator under proposed subsection 183(2) address requirements for the
consideration and documentation of privacy issues by authorised officers.
Recommendation 3
3.79
The committee recommends that the Inspector-General of Intelligence and
Security incorporate into his regular inspection program oversight of the use
of powers to obtain prospective telecommunications data by the Australian
Security Intelligence Organisation.
Recommendation 4
3.80
The committee recommends that the Attorney-General's Department arrange
for an independent review of the operation of the Telecommunications
(Interception and Access) Act 1979 within five years.
Recommendation 5
3.81
Subject to the preceding recommendations, the committee recommends that
the Bill be passed.
Senator Guy Barnett
Chair
Navigation: Previous Page | Contents | Next Page