The Federal Government recently published its final version of the Guidelines for the use of section 313(3) of the Telecommunications Act 1997 by Government agencies for the lawful disruption of access to online services. The Guidelines outline important information for agencies on the content of section 313(3) requests to block websites and include "good practice" measures to ensure such requests can be effectively actioned.
What does section 313(3) of the Telecommunications Act require?
Internet service providers must give officers and authorities of the Commonwealth and of the States and Territories such help as is reasonably necessary for various purposes, for example enforcing the criminal law and safeguarding national security. This general obligation extends to disrupting access to online services by blocking websites, in appropriate circumstances.
What are the Guidelines for?
The Guidelines relate to government agencies' use of section 313(3) to lawfully disrupt access to online services. The aim of the Guidelines is to address concerns over the transparency and accountability associated with section 313(3) requests and to prevent any inadvertent disruptions flowing from such requests.
The Guidelines do not cover other requests for assistance made under section 313.
To whom do the Guidelines apply?
The Guidelines apply to Australian Government agencies, while State and Territory agencies are encouraged to follow them.
Agencies should be mindful that recipient organisations can also access the Guidelines and challenge any deficiencies in a section 313(3) request. Further, the Guidelines address technical matters that agencies should adopt in order to make their section 313(3) requests effective.
Recommended "good practice" measures
The Guidelines recommend the following "good practice" measures for agencies when making section 313(3) requests:
- obtain authority and approval: agencies should ensure that section 313(3) requests to disrupt access are approved by an Agency Head (Senior Executive Service officer or equivalent);
- publish internal policies and procedures: agencies should develop, maintain and publish online internal policies for the disruption requests, in particular specifying how long a disruption is to remain in place;
- develop complaints and review support: agencies should have complaint and review support procedures that allow affected parties to contest a decision to disrupt access. Affected parties should be assisted by the agency rather than being directed to the ISP; and
- limit disruption: agencies should limit use of disruption requests to serious criminal or civil offences, or threats to national security. There is also a recommendation for agencies to consult ISPs prior to making a request. A new addition made after the 2016 draft report is that, alongside other factors, agencies must consider Australia's commitment to "promoting an open, free and secure Internet" to determine whether a request to disrupt access is appropriate;
- prepare and provide public information: agencies should publish each request and include (where practicable) why the request has been made. Public notification can occur through, for example, media releases and online posts. In addition, agencies should provide ISPs with a generic government "stop page" for members of the public that try to access a disrupted site. The stop page should include, where appropriate:
- the name of the agency requesting the disruption;
- the reason (at a high level) that the disruption has been requested;
- an agency contact point via a telephone number and email for more information (this is a new addition made after the draft report); and
- information about how a party adversely affected by the disruption could make a complaint or seek a review (see below).
- have access to technical expertise: agencies should have the appropriate level of technical expertise or access to external agencies and experts to ensure that any disruption requests are effective, responsible and able to be executed appropriately. Before making a request, agencies should consult ISPs about how assistance may be best provided. A new addition made after the draft report is an acknowledgement that ISPs use different methods to block websites and that agencies should consider the method used by the ISP. The Guidelines recommend that agencies request a DNS and/or URL be blocked rather than IP addresses.
- recommend government agencies have an active role in managing the disruption process, rather than simply requiring recipient organisations to implement and manage the request; and
- require agencies to have the appropriate level of technical expertise in order to communicate how the section 313(3) request should be implemented.
If these are kept in mind, agencies will be able to achieve the Federal Government's objective of a transparent, accountable and effective section 313(3) disruption request process.