In July 2012, the Parliamentary Joint Committee on Intelligence and Security (Joint Committee) commenced an inquiry to examine and report on a package of national security reform proposals described in a Discussion Paper referred to the Committee by the Attorney-General and entitled, 'Equipping Australia against Emerging and Evolving Threats' (Discussion Paper).
The Discussion Paper notes that law enforcement agencies are facing an increasing difficulty in reliably identifying communication of interest in high volumes of communications traffic, reliably and securely accessing data of interest and effectively interpreting communications once obtained. The proposed reforms seek a radical overhaul of Australia's national security legislation, to facilitate law enforcement. Proposals for reform include:
- Introduction of new requirements to protect information and infrastructure;
- Simplifying and broadening the power to issue interception, preservation and access warrants;
- Extending coverage of the law beyond carriers and carriage service providers to online service providers;
- Requiring providers to assist with decryption of messages; and
- Imposing an ongoing data retention obligation on specific data sets of up to 2 years.
More than 200 submissions have been received in response to the Discussion Paper.
Concurrently, Parliament has been considering and has passed the Cybercrime Legislation Amendment Act (2012) (Cybercrime Legislation).
In this update we provide a brief out line of the changes introduced by the Cybercrime legislation and an overview of the position taken in some of the key submissions received by the Joint Committee in response to the Discussion Paper.
The Cybercrime Legislation received assent on 12 September 2012. It introduces changes designed to facilitate Australia's accession to the Council of Europe Convention on Cybercrime. The new laws:
- require carriers to preserve certain stored communications (messages and traffic data) for up to 90 days if requested by certain Australian government agencies;
- require carriers to preserve the same kinds of information if requested by the Federal Police on behalf of a foreign country;
- allow for information to be obtained and disclosed for the purpose of assisting an investigation by the agency of a foreign country;
- introduce extraterritorial operation for certain offences under the Telecommunications (Interception and Access) Act;
- introduce confidentiality requirements; and
- amend the Criminal Code to remove the limitations that computer offences only apply to conduct involving Commonwealth computers, Commonwealth data and use or use of a carriage service.
Background to Discussion Paper
The Discussion Paper canvases possible changes to the Telecommunications (Interception and Access) Act 1979 (TIA Act); the Telecommunications Act 1997 (Telco Act); the Australian Security Intelligence Organisation Act 1979 (ASIO Act); and the Intelligence Services Act 2001 (IS Act).
The objective of the inquiry is to consider the effectiveness and implications of the proposed reforms whilst having regard to:
- the desirability of comprehensive, consistent and workable laws and practices to protect the security and safety of Australia, its citizens and businesses (balanced against safeguarding human rights and privacy of individuals);
- the need to ensure the intelligence, security and law enforcement agencies are equipped to effectively perform their functions and cooperate effectively in the current and future technologically advanced and globalised environment; and
- the fact that national security brings shared responsibilities to the government and private sector, whose interests and obligations must also be balanced.
Submissions to the inquiry closed on 20 August 2012, and the Committee ultimately received a total of 201 submissions from a number of individuals, industry and government bodies including the Department of Broadband, Communications and the Digital Economy (DBCDE), the Australian Federal Police (AFP),the Office of the Australian Information Commissioner (OAIC), the Australian Mobile Telecommunications Association (AMTA) and Communications Alliance, the Internet Industry Association (IIA), the Australian Communications Consumer Action Network (ACCAN), the Law Council of Australia, and individual industry members including iiNet, Vodafone Hutchison Australia, Optus, Telstra and Macquarie Telecom.
Many submissions commented that the changes proposed by the Discussion Paper are substantial and far reaching. There is general support from a number of quarters for introducing privacy focused objects into the TIA and Telco Act but general criticism of the lack of information in the Discussion Paper sufficient to demonstrate that the proposed increases in powers are proportionate and necessary. Many submissions highlight concern of the potential for the introduction of a substantial additional regulatory burden. There is also concern the requirement to retain user information for a significant period represents a significant privacy risk.
Key issues under consideration
Infrastructure Security Reforms
Submitters called for data regarding the number and type of breaches suffered by Australian telecommunications networks that would support the proposal to impose new infrastructure security requirements. The IIA and a range of industry members questioned whether new regulatory requirements are justified and whether the cost of implementation would be proportionate the risks identified by the Discussion Paper.
The Government considers that imposing requirements on industry to retain current information for the purposes of supplying a service to enforcement agencies and to assist agencies in decrypting information would greatly enhance agencies’ abilities to detect and disrupt criminal and other behaviours that threaten national wellbeing.
Submissions under this heading generally objected to such a proposal. AMTA and Communications Alliance’s submission states that telecommunications service providers should not be required to create or retain communications data that would not normally be used in the day-to-day business operations or network traffic management requirements of the service providers. Such revisions to the data retention obligations could run into tens of hundreds of millions of dollars. Other submissions state that such costs should be recoverable from agencies benefitting from access to such information and not be borne by industry. Otherwise, as ACCAN submits, such costs are likely to be passed onto consumers in the form of higher prices.
It is clear that that the Committee will need to examine the necessity and effectiveness of such reform in light of the possible financial and economic consequences that could occur as a result. Industry representatives advocate that a costs-benefit analysis also be undertaken as part of the review.
Extending the Interception regime
The Government considers that the exclusion of social networking and cloud computing providers creates potential vulnerabilities in the interception regime that are capable of being manipulated by criminals. The Discussion Paper argues that by extending the interception regime to such ancillary providers, uncertainty about the application of industry obligations in relation to agency requests would be reduced and Australia would be better placed to meet domestic and international demands.
Many submitters observed that the effect of this extension on Australian service providers would be to catch all products offered by a service provider covering those types of services (eg. webmail or OTT applications) which were not previously subject to lawful interception obligations but for the carriage element. Social media and online services currently outside the interception framework would therefore be regulated. The lack of detail regarding this proposal in terms of scope and practical operation was also criticised.
Submitters suggest that the Joint Committee must consider, among other things, how the regulatory regime would apply to global service providers located outside of Australia in light of the jurisdictional coverage of Australian legislation, established and potential mechanisms for international cooperation, identification of end users of such services and the ongoing competitiveness of Australian based service providers.
A tiered model approach
The Government considers that in light of current practice, the telecommunications industry would be better suited in moving towards a tiered model approach where larger providers will support comprehensive interception and delivery capability, medium providers will provided minimum interception and delivery capability and smaller providers will be provide assistance only as reasonably necessary.
AMTA and Communications Alliance's submission states that the Government's proposed model opens up the possibility of significant bypass of interception capabilities and requirements, and that a regime indicating that small service providers will have no interception capabilities invites organised criminals to target such providers. Instead, the submission favours an approach where investment in interception capabilities is based on agency need and risk, and where interception is most likely to be utilised and be effective. A submission by Huawei Australia reveals concerns that the reforms will be imposed in a way that discriminates against particular vendors, or vendors from a particular country of origin with little or no benefit for security outcomes.
Since such a proposal would result in more regulation for companies with greater market share, the Committee is expected to take into account and balance the interests of all relevant stakeholders.
A graduated suite of enforcement measures
The Government considers that in order to create further incentive for industry to cooperate and to proportionately address various levels and forms of industry non-compliance, a graduated suite of enforcement measures (including the power of direction) should be introduced under a regulatory framework. Such enforcement measures, which would include directions involving targeted mitigation or remediation of security risks (including modifications to infrastructure, audit and ongoing monitoring) and financial penalties, would apply where engagement with C/CSPs proves to be ineffective or where there is a blatant disregard of security information.
Industry submitters including the IIA challenge the need for such proposed reforms on the basis that industry is naturally predisposed to protecting its infrastructure without the need for additional incentives. In addition, submitters say that sanctions or penalties in relation to the failure to assist agencies in decrypting communications must be based on proof that the organisation is capable of assisting and evidence that they have refused to do so. Huawei Australia's submission states that there are already relevant enforcement mechanisms and national security provisions in the Telco Act, and that any changes should be proportionate and incremental. Furthermore, the Internet Society of Australia submits that these should be commensurate with the risks involved.
From the Discussion Paper and submissions, it is clear that further justification and clarification is sought as to why such enforcement measures are needed.
Submitters note that while the terms of reference acknowledge that national security brings 'shared' responsibilities to the government and private sector, the proposed reforms appear to shift a number of responsibilities, costs and risks traditionally associated with the Government and its agencies onto those in the industry. The proposed responsibilities are then to be subject to the imposition of further regulation and penalties. Concerns are expressed that if the reforms are implemented, there will be quite an aggressive change in the laws, which would not only have implications for those in the telecommunications sector but for ISPs as well.
The Joint Committee has recently completed public hearings in Melbourne and Canberra. Public hearings are being held in Sydney on 26 and 27 September. No date has been set in the terms of reference and no date has been announced for the release of the Committee's report.