Submission

23 February 2007

Exposure draft of Telecommunications (Interception and Access) Amendment Bill 2007

Below is a copy of EFA's submission to the Attorney-General's Department in response to the Exposure draft of Telecommunications (Interception and Access) Amendment Bill 2007.


Contents:

  1. Introduction
  2. No disclosure of contents or substance of a communication
  3. Disclosures authorised by law (s280 and proposed amendments to s313 of the TA)
  4. Access to telecommunications data (Chapter 4)
    1. Meaning of "telecommunications data"
      1. Mobile phone locational information, etc.
      2. Email message "content"
      3. Internet web browsing logs and web chat forum logs, etc
    2. Voluntary disclosure
    3. Authorisations for access to existing information or documents
      1. Lack of certified authorisations
      2. Form of authorisations
      3. Additional Agencies
      4. Authorised Officer
    4. Authorisations for access to prospective information or documents
    5. Secondary disclosure/use offence
    6. Civil Remedies
    7. Civil Proceedings and/or administrative action
    8. Report to Communications Access Co-ordinator
  5. Authorisation of interception for developing and testing interception capabilities (Chapter 2, Part 2-4)
  6. Dealing for permitted purpose in relation to agency
  7. Matters arising from amendments to the 2006 TI Bill
    1. Unrestricted access to stored communications by carrier employees?
    2. Knowledge/Notice Provisions and Part 13/s280 of the TA
    3. Access to communications that are not in the "possession" of the carrier, nor a party to the communication
    4. Type of lawful authority required for agency access to recordings made by a carrier and stored on a carrier's equipment
    5. Definition of accessing a stored communication and "record"
    6. Inappropriate requirement to notify carriers of remote access to communications during execution of s3L warrant
    7. Senate Legal and Constitutional Legislation Committee Recommendations
  8. Conclusion
  9. References
  10. About EFA

1. Introduction

EFA appreciates the opportunity to make this submission in relation to the Exposure Draft of Telecommunications (Interception and Access) Amendment Bill 2007[1].

However, we take this opportunity to re-iterate our concern that the existence of the exposure draft for consultation purposes was not made known to EFA by the Attorney-General's Department and that we did not become aware of it until a week after it had been provided by the Department to industry and law-enforcement stakeholders.

While we appreciate the Attorney-General's Department's offer and willingness to extend the deadline for submissions by a week for EFA, we do not regard a two week period to be adequate in relation to this type of proposed legislation. The lack of a draft explanatory memorandum or any other explanatory documentation makes review of the exposure draft more time consuming and difficult than it would otherwise be.

Furthermore, the exposure draft contains new powers for law enforcement agencies on which there has been no prior public consultation (some of which appear to raise technical feasibility and practicality issues), and contains provisions that were not recommended in the Blunn Review Report[2], and provisions that are contrary to some recommendations in the Blunn Report. As a result, we consider a significantly longer period for preparation of submissions would have been appropriate.

As a result of the above mentioned time-frame and circumstances, EFA may identify matters of concern, additional to those below, at a future date.


2. No disclosure of contents or substance of a communication

Chapter 4, Division 2-General provisions
172 No disclosure of the contents or substance of a communication
Divisions 3 to 5 do not permit the disclosure of:
(a) information that is the contents or substance of a communication; or
(b) a document to the extent that the document contains the contents or substance of a communication.

This provision is welcomed because it resolves the long ongoing issue, that EFA has raised in submissions numerous times in the past, of whether or not s282(1) and (2) of the Telecommunications Act 1997 ("the TA") could be used to authorise disclosure of the contents or substance of a communication (without a warrant or even certificate). It seems clear that, once enacted, s172 will have the effect of ensuring that the voluntary disclosure provisions (which replace s282(1) and (2) of the TA) cannot be used to disclose the contents or substance of communications.

However, it is of major concern to EFA that other provisions in the exposure draft indicate that enforcement agencies might be able to obtain the contents or substance of communications from carriage service providers without an interception or stored communications warrant issued under Telecommunications (Interception and Access) Act 1979 ("the TIAA"). See Section 3 below.


3. Disclosures authorised by law (s280 and proposed amendments to s313 of the TA)

EFA remains highly concerned by the apparent lack of any intention to amend s280 of the TA to clarify that s280 does not permit access by agencies to the contents or substance of communications without a warrant issued under the TIAA. EFA has raised this matter on a number of occasions before, as has the Senate Legal and Constitutional Legislation Committee:

"3.18 The Committee recommends that the Bill be amended to include a provision amending Section 280 and subsections 282(1) and (2) of the Telecommunications Act 1997, effective from the same date as the Bill, to make it clear that covert access to stored communications is not permitted without a stored communications warrant."[3] [emphasis added]

EFA's concerns in relation to s280 are now exacerbated by proposed amendments to s313 of the TA contained in the exposure draft.

The exposure draft deletes the provisions of s313 and replaces it with new provisions. The new provisions include:

313 Obligations of carriers and carriage service providers
...
(3) A carrier or carriage service provider must, in connection with:
...
give officers and authorities of the Commonwealth and of the States and Territories such help as is reasonably necessary for the following purposes:
   (c) enforcing the criminal law and laws imposing pecuniary penalties;
   (d) protecting the public revenue;
   (e) safeguarding national security.
...
(7) A reference in this section to giving help includes a reference to giving help by way of:
(a) the provision of interception services, including services in executing an interception warrant under the Telecommunications (Interception and Access) Act 1979; or
(b) giving effect to a stored communications warrant under that Act; or
...
(e) disclosing information or a document in accordance with section 280 of this Act.

Sub-section 7(e) above is new, no mention of s280 is contained in existing s313.

It is unclear why ss7(e) is being added given that carriage service providers are required to provide reasonably necessary help only to enforcement agencies and ss7(a) and (b) make clear that such help must be given in relation to executing warrants under the TIAA.

EFA submits that s280(1)(a) of the TA must be amended as follows:

Replace:

280 (1) Division 2 does not prohibit a disclosure or use of information or a document if:
(a) in a case where the disclosure or use is in connection with the operation of an enforcement agency-the disclosure or use is required or authorised under a warrant;

with:

280 (1) Division 2 does not prohibit a disclosure or use of information or a document if:
(a) in a case where the disclosure or use is in connection with the operation of an enforcement agency-the disclosure or use is required or authorised by the Telecommunications (Interception and Access) Act 1979;


4. Access to telecommunications data (Chapter 4)

4.1 Meaning of "telecommunications data"

EFA is of the view, as a result of developments in telecommunications technologies since original drafting of the TIAA and TA, that there is a need to either define "telecommunications data" for the purpose of proposed Chapter 4, or at the least implement legislative restrictions on what type of "information or documents" are authorised to be disclosed by Chapter 4.

While the Blunn Report states at 1.5.15:

"(b) 'call data' which, although it varies with technology, is basically the 'traffic information' that records that a communication has occurred; (often) the time, duration and location of the 'call'; and the addresses (numbers) of the sender and the intended recipient, in the internet environment this would be the IP address".[2]

However, the legislation contains no reference to "call data" or "traffic information", nor does it define "content or substance".

4.1.1 Mobile phone locational information, etc.

EFA is particularly concerned as to whether, for example, mobile phone locational information may be allowed to be disclosed by merely a written request under Chapter 4. This concern is heightened by the proposed new powers to enable criminal law enforcement agencies and ASIO to require disclosure of information which comes into existence up to 45 days (or 90 in the case of ASIO) after the request is issued.

If such requests could apply to mobile phone locational information, it would in effect enable tracking and surveillance of individuals' whereabouts during a period of 45 (or 90) days without a surveillance device warrant, or any other type of warrant.

As to whether such written requests could apply to locational information, remarks in the Blunn Report are notable:

"1.1.25. An issue which arose during the review was the use of telecommunications data for surveillance purposes. Mobile telephones provide locational data and the precision of that data can be expected to improve. That data is generated without any specific intervention. The use of that data for security and law enforcement purposes is obvious. The privacy implications are equally obvious. However it is far from clear whether access is subject to any regulation. What does seem clear is that the issue is about access to telecommunications data.
1.1.26. Accordingly I recommend that the access to such data for surveillance purposes be considered in the context of the requirement for comprehensive and over-riding legislation dealing with the general issue of access to telecommunications data.
"[2] [emphasis added]

However, it appears there is no intention to address the above issue and Mr Blunn's recommendation prior to proposed Chapter 4 being implemented.

EFA is opposed to Chapter 4 being implemented in the absence of a prohibition on disclosure of locational information under that Chapter.

4.1.3 Email message "content"

EFA also considers legislative amendments are necessary to clarify, or indeed establish, a dividing line between so-called "call data" and the content or substance of communications, in relation to email messages.

Email messages consist of two parts: a header section and a body section (although this is not readily apparent to those users who do not know how to set their email software to display the whole header).

The body section is plainly "content" because it is the text of message, but it is unclear what parts of the header section are, or are not, regarded as content/substance. For example, the header section contains not only dates, to/from email addresses and IP address/es but also the subject line of the message.

In our view, the subject line is part of the content of a message, but it is by no means clear to us that would be the position under law, nor whether the same view would be held by all carriers and agencies. Some email messages also carry significantly more other information in the header section than is equivalent to "traffic information" associated with telephone calls.

EFA considers that written requests under proposed Chapter 4 should be limited to authorising access to the equivalent of "traffic information" of telephone calls, that is, dates of sending/receiving and information about the source and destination of the communication such as the sender and recipient's email addresses and IP addresses. The subject line and any other information in the header section should be legislatively regarded as content/substance.

4.1.3 Internet web browsing logs and web chat forum logs, etc

We note the Terms of Reference for the Blunn Review recognised that "while the concept of a communication 'passing over' is technology neutral, its application has become more difficult in the context of advanced telecommunications services such as email, Internet browsing, short messaging services and other evolving technologies". However, the Review report does not appear to refer to stored records of Internet browsing.

We also note that the second reading speech of the December 2004 amendments to the TI Act[4] states that: "A telecommunications interception warrant will continue to be required for live monitoring of telephone calls, email or SMS messages transiting our telecommunications system, web browsing or Internet chat sessions" and the 2006 amendments have not changed the requirement for an interception warrant in the case of live/real-time access.

However EFA questions what form of lawful authority is required in the circumstance of an agency seeking access, from carriers, to stored logs of Internet access activities by users. This includes logs of web chat forum communications, logs of web pages visited, etc.

EFA was informed some years ago that Section 282 of the TA had been used by some police to obtain dates/details of all web pages etc that Internet users visit, i.e. the URLs of web pages that a user has visited and/or files that have been downloaded over a potentially extensive period of time. It is not known whether such an interpretation of the legislation has continued, nor whether certified, or un-certified, requests were used in the past. It appears highly unlikely that the Government or Parliament envisaged such surveillance/tracking of users by way of either certified or un-certified requests because at the time the Telecommunications Bill 1996 was drafted few people had sufficient knowledge and understanding of the new technology of the Internet to be aware of the possibility of such use of Section 282.

Use of existing Section 282, or the proposed "written requests", to obtain details of web pages visited is significantly more privacy invasive that its use to obtain telephone numbers to or from which calls were made. Telephone numbers do not provide any detail about the content of a communication. However, a URL of a web site does provide information about the content of the communication and also enables the person who has seized such information to access and read the content of the web page/s visited by another person.

EFA considers that agencies seeking access to Internet browsing logs and records should be required to obtain a stored communications warrant.

In our view, such records meet the definition of communication and stored communication in the TIAA and therefore, if Section 282 was previously being used, it should not have been since the new legislation became effective from 13 June 2006.

However, EFA considers that the provisions concerning "written requests" should be amended to make clear and certain that such requests do not authorise access to stored logs of online chat forums, or Internet browsing, or file downloading activity.


4.2 Voluntary disclosure

174 Voluntary disclosure
Sections 276, 277 and 278 of the Telecommunications Act 1997 do not prohibit a disclosure of information or a document to the Organisation if the disclosure is in connection with the performance by the Organisation of its functions.

177 Voluntary disclosure
Sections 276, 277 and 278 of the Telecommunications Act 1997 do not prevent a disclosure of information or a document to a criminal law-enforcement body if the disclosure is reasonably necessary for the enforcement of the criminal law.

181 Voluntary disclosure
Enforcement of a law imposing a pecuniary penalty
(1) Sections 276 and 277 of the Telecommunications Act 1997 do not prevent a disclosure of information or a document to a civil penalty-enforcement body if the disclosure is reasonably necessary for the enforcement of a law imposing a pecuniary penalty.
Protection of the public revenue
(2) Sections 276 and 277 of the Telecommunications Act 1997 do not prevent a disclosure of information or a document to a public revenue body if the disclosure is reasonably necessary for the protection of the public revenue.

We observe that the voluntary disclosure provisions are effectively a copy of existing s282(1) and (2) of the TA and that Mr Blunn's recommendations in this regard are not being implemented. The Blunn report stated:

1.7.5. In as much as they require the eligible person to form an opinion that disclosure is 'reasonably necessary' for the enforcement of the criminal law or the protection of the public revenue they [s282(1) and (2)] appear inappropriate and sit oddly with the requirement established by subsections 282(3), (4) and (5) for a certificate from the requesting agency in which case access to content or substance is precluded.
1.7.6. That said, there is obviously a case for enabling eligible persons who do come across information in the course their employment which they consider relevant to security or law enforcement to report that to an appropriate authority. From a privacy point of view the provisions as presently drafted are not adequate and I recommend that they be reviewed with a view to clarifying the objective and better identifying the process to be followed.
[2]

EFA submits that the voluntary disclosure provisions should be re-drafted in a way that makes clear the objective and identifies processes to be followed.


4.3 Authorisations for access to existing information or documents

Division 4-Criminal law-enforcement bodies
178 Authorisations for access to existing information or documents-enforcement of the criminal law

Division 5-Civil penalty-enforcement bodies and public revenue bodies
182 Authorisations for access to existing information or documents

We note that the provisions concerning access to existing information are substantially similar to s282(3), (4) and (5) of the TA in that these provisions do not provide new access powers to the enforcement agencies currently defined in the TA, except that criminal law-enforcement agencies will gain the right to issue a written request to emergency call persons for disclosure of information.

However, EFA has a number of concerns about the proposed new provisions.

4.3.1 Lack of certified authorisations

Under existing s282 of the TA, disclosure is authorised only "if an authorised officer of a criminal law-enforcement agency has certified that the disclosure is reasonably necessary for the enforcement of the criminal law" and such a certificate "must comply with such requirements as are determined in writing by the ACMA". The conditions referring to civil and public revenue agencies are equivalent.

However, the proposed new provisions do not require an authorised officer to certify that the disclosure is reasonably necessary for the enforcement of the [relevant] law. Instead they merely require that an officer "be satisfied".

EFA considers that authorised officers should continue to be required to certify that the disclosure is reasonably necessary and provide a copy of that certification to the carriage service provider from whom disclosure is sought. In this regard, we also note that the Blunn Report recommended that no changes be made to the existing requirement for a conforming certificate:

"1.6.1. ... access to call data should only be provided on production of a certificate;
...
1.7.2. Other than to reinforce the requirement that access should only be provided on receipt of a conforming certificate I see no reason to change that regime and I recommend accordingly."
[2] [emphasis in original]

EFA is opposed to passage of the proposed legislation without a requirement for certification by an authorised officer that the disclosure is reasonably necessary and issue of a conforming certificate.

It is essential that carriage service providers be presented with a certificate making it quite clear to the carriage service provider that an authorised officer has certified that the disclosure is reasonably necessary. Carriage service providers, who are at risk of criminal or civil proceedings in relation to disclosures that were not "reasonably necessary", should be provided with documentation evidencing that an officer of an enforcement body certified that the disclosure was reasonably necessary. The proposed written requests, which unlike existing s282 certificates do not require an officer to certify necessity, do not provide carriage service providers with adequate protection against the time, costs and inconvenience of court actions, which they would incur whether or not such an action would be likely to result in a conviction or civil remedy.

Furthermore it should be borne in mind that these provisions will not only apply to the Australian Federal Police (AFP) but also to the multitude of State and Territory criminal, civil penalty and public revenue agencies, who may not have an equivalent level of external and internal oversight, accountability mechanisms and internal procedures as the AFP (or for that matter any other Commonwealth enforcement agency).

4.3.2 Form of authorisations

We observe that the proposed provisions require merely that an authorisation be "in written form" or "in electronic form (for example, email)" (s185) and that the the Communications Access Co-ordinator "may" determine requirements for authorisations (s187).

As stated above, EFA agrees with Mr Blunn that a conforming certificate should continue to be required. However, whether it is or not, s187 must be changed to state that the Communications Access Co-ordinator must determine requirements in relation to the form of authorisations, given the ACMA's existing determinations in this regard will no longer apply.

It is essential that requirements be determined by the Communications Access Co-ordinator and published before the proposed legislation becomes effective. Among other things, systems/procedures must be put in place to ensure a carriage service provider can know whether an email sent to them purporting to authorise a disclosure does in fact originate from an authorised officer. In this regard, for example, ACMA's existing requirements[5] (which will no longer apply) state:

f. if the certificate is in electronic form-confirm that a particular authorised officer issued the certificate, by identifying that officer through a unique code or unique identification consisting of a combination of symbols (for example, numbers, letters, marks and signs) which are recognisable to the person being requested to disclose the information or documents

In the absence of rules such as the above, carriage service providers would find themselves having to spend time investigating the source of an email, and there would be a risk of unlawful disclosure in response to emails that were not in fact sent by an authorised officer.

4.3.3 Additional Agencies

EFA notes that a number of additional agencies/bodies are to be added to the currently existing list in the TA and that all but one of the additions are authorised interception agencies.

CrimTrac

EFA questions why CrimTrac is to be added to the definition of criminal law-enforcement body (agency) and would thereafter be able to obtain information about telecommunications users and their communications from carriage service providers.

It is EFA's understanding that CrimTrac is not a law enforcement agency except for limited purposes relating to spent convictions legislation.

As CrimTrac is not, to our knowledge, a law enforcement agency authorised to conduct investigations into suspected criminal offences we see no legitimate reason why CrimTrac should be authorised to in effect compel carriage service providers to disclose information or documents about telecommunications users and their communications.

Accordingly EFA submits that CrimTrac should be deleted from the definition of criminal law-enforcement body.

4.3.4 Authorised Officer

We observe that the lengthy and complex definition of "senior officer" in the TA is to be, in effect, significantly shortened on transfer into the TIAA. While we have not analysed the definitions in depth (during the short consultation period), our brief review indicates that the end result is probably the same. However, if we become aware that the new definitions result in persons of less seniority being able to be "authorised officers" for the purpose of authorising disclosure of existing information/documents under proposed Chapter 4, we would be opposed to such change.


4.4 Authorisations for access to prospective information or documents

180 Authorisations for access to prospective information or documents
(1) Sections 276, 277 and 278 of the Telecommunications Act 1997 do not prevent a disclosure of information or a document if the information or document is covered by an authorisation in force under this section.

(2) A certifying officer of a criminal law-enforcement body may authorise the disclosure of specified information or specified documents that come into existence during the period for which the authorisation is in force. [up to 45 days].
(3) The certifying officer may, in that authorisation, also authorise the disclosure of specified information or specified documents that came into existence before the time the authorisation comes into force.
(4) The certifying officer must not make the authorisation unless he or she is satisfied that the disclosure is reasonably necessary for the investigation of an offence against a law of the Commonwealth, a State or a Territory that is punishable by imprisonment for at least 3 years.
(5) Before making the authorisation, the certifying officer must have regard to how much the privacy of any person or persons would be likely to be interfered with by the disclosure.

EFA is opposed to this proposed new power of authorising access to prospective information or documents, that is, information that does not exist at the time a request is made. This is akin to interception and surveillance powers and we observe that existing Section 282 does not contain any provisions authorising access to prospective information.

As pointed out earlier herein, if such "written requests" would apply to mobile phone locational information (which is unknown due to lack of definitions in existing and proposed legislation), it would in effect enable tracking and surveillance of individuals' whereabouts during a period of 45 (or 90) days without a surveillance device warrant, or any other type of warrant. We also object to this means of monitoring individuals' telephone call and email communications and, possibly, web browsing activities without a warrant.

Furthermore, EFA questions whether the Attorney-General's Department has considered, or consulted with technical experts on, the technical feasibility and practicality of Internet Service Providers making records of, as one example, email communication "traffic data" without breaching the existing prohibitions on 'interception' which "consists of ... recording [including copying], by any means, such a communication in its passage over that telecommunications system", and also without breaching the stored communications provisions in relation to the "content or substance" parts of such communications.

EFA has not had time, during the extremely short consultation period, to document the above issue in detail. At this time, we simply comment that it appears the Department has not considered technical feasibility and practicality issues prior to drafting the proposed legislation.

It appears evident that the Attorney-General's Department is already well aware that these "prospective information" access powers are more privacy invasive than the provisions of existing s282, given "written request" authorisations are to be issued by a "certifying officer" (not an "authorising officer", although whether there is any significant difference in rank is unclear) who is required to "have regard to how much the privacy of any person or persons would be likely to be interfered with by the disclosure", and that the power is limited to criminal law-enforcement bodies (and ASIO which is not required to have regard to interference with privacy).

However, a "certifying officer" is nevertheless an employee of a criminal law-enforcement body. EFA considers it entirely unrealistic to expect such officers to have adequate regard to interference with the privacy of third parties who have merely been in contact with a suspect. We consider that many of the same issues which arose in relation to the use of general search warrants and led to the creation of "stored communications warrants" also apply, and more greatly, to authorisation of access to prospective information by mere "written request" by a law enforcement agency.

In short, EFA is strongly opposed to the use of "written requests" to authorise access to prospective information. We consider a stored communications, or interception, warrant must be required.


4.5 Secondary disclosure/use offence

Division 7-Secondary disclosure/use offence
184 Secondary disclosure/use offence
(1) A person commits an offence if:
(a) information or a document is disclosed to the person as permitted by Division 4 or 5; and
(b) the person discloses or uses the information or document.
Penalty: Imprisonment for 2 years.
Exempt disclosures
(2) Paragraph (1)(b) does not apply to a disclosure of information or a document if the disclosure is reasonably necessary:
(a) for the performance by the Organisation of its functions; or
(b) for the enforcement of the criminal law; or
(c) for the enforcement of a law imposing a pecuniary penalty;
or
(d) for the protection of the public revenue.
Note: A defendant bears an evidential burden in relation to the matter in subsection (2) (see subsection 13.3(3) of the Criminal Code).
Exempt uses
...

We observe that s184(1) does not apply to ASIO (Division 3). Does this mean that no secondary disclosure/use restrictions at all are to apply to ASIO?

In relation to criminal law-enforcement bodies, proposed Section 184(2) appears to permit secondary disclosure and use of "prospective" information for purposes for which the prospective information could not have been disclosed in the first place, i.e. secondary disclosure/use in relation to investigation of offences with a penalty of less than 3 years. (The authorisation of initial disclosure of prospective information is restricted to when reasonably necessary for the investigation of an offence that is punishable by imprisonment for at least 3 years).

EFA submits that, if the "prospective" information provisions are to remain (which EFA opposes), s184(2) must be amended so as to prohibit secondary disclosure/use of such information for purposes other than when reasonably necessary for the investigation of an offence that is punishable by imprisonment for at least 3 years.

In addition, s184 appears to significantly widen the secondary disclosure/use provisions by permitting wider disclosure of information between agencies of different types for different purposes. However, during the short consultation period, EFA has not had sufficient time to adequately analyse the extent of differences between the existing and proposed law in this regard.


4.6 Civil Remedies

EFA submits that the Civil Remedies provisions (Part 2-10 and Part 3-7) of the TIAA, which apply to unlawful interception and unlawful access to stored communications, should be amended to apply also to contraventions of proposed Chapter 4, i.e. to unlawful disclosure or use of "telecommunications data".


4.7 Civil Proceedings and/or administrative action

EFA observes that s303C of the TA currently applies in relation to s282 of that Act. As s282 is in effect being moved into the TIAA, we submit that provisions equivalent to s303C are required in the TIAA. s303C states:

303C Prosecution of an offence against this Part does not affect proceedings under the Privacy Act 1988
(1) The prosecution of an offence against Division 2 or 4 of this Part for disclosure or use of information or a document does not prevent civil proceedings or administrative action from being taken under the Privacy Act 1988 or an approved privacy code (as defined in that Act) in relation to the disclosure or use.
(2) This section applies regardless of the outcome of the prosecution.
(3) This section does not affect the operation of section 49 of the Privacy Act 1988.

4.8 Report to Communications Access Co-ordinator

We note the provisions in proposed s189 requiring enforcement bodies to given written reports to the Communications Access Co-ordinator concerning the number and type etc of authorisations during each financial year.

While these provisions are welcomed in principle, we question the purpose and usefulness of such reports in the apparent absence of a requirement that the Communications Access Co-ordinator provide a report to the Minister and the Minister provide same to the Parliament.

EFA considers there should be Parliamentary oversight of the extent of use, and purposes of use, of written requests/authorisations and especially if the proposed new powers for enforcement bodies, i.e. enabling disclosure of "prospective information" by way of merely a written request, are implemented. Accordingly, EFA submits that the proposed legislation should be amended to require the Minister to provide reports to the Parliament about authorisations. Such reports could be provided in the same report that is issued by the Minister concerning interception and stored communications warrants.


5. Authorisation of interception for developing and testing interception capabilities (Chapter 2, Part 2-4)

31A Attorney-General may authorise interception for developing and testing interception capabilities
(1) Upon receiving the request, the Attorney-General may authorise interception by employees of the security authority of communications passing over a telecommunications network.

EFA is opposed to this proposed new exception to the prohibition on interception of communications.

Firstly, we question the need for such an exception in the absence of information justifying a legitimate need for same. In this regard, the brief comments in the Blunn Report do not justify the broad exception proposed in the exposure draft. While the Blunn Report states that:

"Currently this is done in a controlled environment to avoid contravening the Interception Act. Because the tests are not real time they may not identify problems that arise in the commercial provision of services. Testing real time data would assist agencies to establish whether C/CSPs are meeting their obligations under the Telco Act."[2]

it provides no indication that there has been any problem that was not identified during controlled environment testing. Furthermore, we note that it is the ACMA's responsibility to ensure CSPs are meeting their obligations, not law enforcement and/or defence and/or intelligence agencies.

Secondly, if the proposed exception can be justified, as currently drafted it nevertheless does not contain adequate controls and accountability mechanisms.

The definition of "security authority" is entirely too open ended:

security authority means an authority of the Commonwealth that has functions primarily relating to:
(a) national security; or
(b) collection of foreign intelligence; or
(c) the defence of Australia; or
(d) the conduct of the Commonwealth's international affairs.

When dealing with matters of this nature, legislation should exhaustively list the specific agencies involved. The proposed definition could include:

  • the AFP, ASIO, ASIS, DSD, etc.
  • the Defence Department generally (including the army, the navy, the air force);
  • the Department of Foreign Affairs and Trade!

If this exception is to be implemented, it requires stringent safeguards, such as:

  1. listing the specific agencies to which an authorisation may be granted;
  2. the authorisation being required to nominate a specific point in a specific telecommunications service provider's network at which the performance of interception is authorised, and the authorisation being restricted to that specific point on that specific network;
  3. a requirement that the Managing Director of the carrier/CSP be notified, in advance, of the interception of their network;
  4. a requirement that the technologies/system must have been well tested in a controlled environment prior to the issue of an authorisation permitting interception of communications on a public telecommunications network;
  5. restrictions on issue of multiple authorisations to an agency designed to prevent the issue of rolling 6 monthly (or any other period) authorisations, that is, so that a second authorisation cannot be issued immediately the first one terminates, nor shortly thereafter.
  6. teeth be given to the conditions of authorisation in proposed s31A(2) (i.e. prohibiting interception of communications for purposes other than development/testing, and communicating, using or recording such communications except for such purposes) by enacting criminal penalties applicable to an individual who breaches those conditions.
  7. the authorisation being required to be laid before Parliament (or otherwise publicly reported on) and preferably made disallowable;
  8. independent audit provisions in relation to the conduct of the interception activities;


6. Dealing for permitted purpose in relation to agency

EFA questions whether the proposed changes to s67 and s139 (addition of phrases such as "or to another agency", "or by another enforcement agency") will enable communications disclosed under an interception warrant or stored communications warrant to be communicated to another agency or body that would not have been eligible/able to obtain such a warrant for their own investigation purposes in the first place.


7. Matters arising from amendments to the 2006 TI Bill

As stated in EFA's document dated 11 October 2006, prepared in response to a request from an officer of the Attorney-General's Department, in EFA's view a number of amendments made to the 2006 TI Bill during its passage through Parliament have not resulted in an adequate level of clarity and certainty.

As the current exposure draft does not include clarification in relation to these matters, and we have not received any information as to why not, the same matters are raised again below.


7.1 Unrestricted access to stored communications by carrier employees?

The 2006 TI Bill as amended, changed the definition of "stored communication" as follows:

stored communication means a communication that:
(a) has passed over a telecommunications system; and
(b) is not passing over that or any other telecommunications system; and
(c) is held on equipment that is operated by, and is in the possession of, a carrier; and
(d) is accessible to the intended recipient of the communication.

stored communication means a communication that:
(a) is not passing over a telecommunications system; and
(b) is held on equipment that is operated by, and is in the possession of, a carrier;
and
(c) cannot be accessed on that equipment, by a person who is not a party to the communication, without the assistance of an employee of the carrier.

The replacement of original (d) with new (c) of the definition of 'stored communication' (which we understand was made to enable access to emails in draft boxes and sent boxes with a stored communications warrant) has resulted in the situation where communications stored on a carrier's equipment that can be accessed thereon "without the assistance of an employee of a carrier" are not "stored communications".

As a result, it appears that an employee of a carrier who can and does access communications stored on the carrier's system "without the assistance of" another employee (for non-specified purposes when neither the sender nor recipient have knowledge of that access) is not prohibited by s108 (or any other provision) from such access because in such circumstances the communications are not "stored communications" as defined. This is contrary to the situation that would have existed if the amendment to the definition had not been made, and contrary to the intention of the specified purposes/exceptions for carrier employees in s108(2)(d) and (e).

We consider item (c) of the definition of stored communication should be amended to state either:

  • "(c) cannot be accessed on that equipment, by a person who is not a party to the communication or an employee of the carrier, without the assistance of an employee of the carrier"; or
  • "(c) cannot be accessed on that equipment, by a person who is not a party to the communication, without the assistance of and/or involvement of an employee of the carrier".

7.2 Knowledge/Notice Provisions and Part 13/s280 of the TA

EFA has concerns about the amendment to section 108(1)(b) to provide that access via a carrier is not prohibited if it takes place with the knowledge of one of the parties to the communication/s and the related amendment inserting s108(1A) regarding the giving of written notice to a party to attain knowledge.

In our opinion, these amendments have resulted in less, not more, clarity and certainty than before the 2006 Bill was enacted.

EFA is under the impression that it was the government's intent that the TIAA as amended, effective from 13 June 2006, would be the sole legislative basis for accessing stored communications. However, in our view it remains uncertain as to whether that objective has been achieved due to the amendments to the 2006 Bill concerning 'notice' and the provisions of Part 13 of the Telecommunications Act 1997 ("the TA").

The current situation appears to be as follows:

  • If an enforcement agency has given written notice to a party to the communication/s of an intention to access same (s108), then it is not an offence under the TIAA to access those communications with the assistance of the carrier.
  • However, the TIAA does not authorise access or disclosure, that is, it does not authorise carriers to disclose communications.
  • Carriers remain prohibited from disclosing communications by Part 13 of the TA, unless an exception under that Act applies.
  • A relevant exception is Section 280(1)(a) of Part 13 of the TA which in effect allows carriers to disclose communications "in a case where the disclosure or use is in connection with the operation of an enforcement agency - the disclosure or use is required or authorised under a warrant".

As a result, it appears that enforcement agencies, such as for example ASIC, now have two choices:

  1. Obtain a stored communications warrant; or
  2. Give written notice to a party (so that the TIAA s108 offence would not apply) and obtain a normal search warrant for execution on the carrier's premises.

Obviously if an agency desired covert access they would have to use option 1. However, option 2 has the potential to be used when a stored communications warrant could not be obtained by an agency because the threshold for issue of a stored communications could not be met (e.g. the suspected offence does not carry a high enough penalty, or an issuing officer would consider that other factors resulted in issue of a stored communications being inappropriate).

EFA considers amendments are necessary to eliminate option 2 and ensure that a stored communications warrant is in fact the sole legislative basis for access to stored communications by agencies with the assistance of a carrier.

EFA would be opposed to any provisions that enabled agencies to access stored communications from a carrier merely by providing written notice of the intention to do so to one of the parties to the communication/s. As we have previously remarked, there is no reliable means by which the carrier can know whether or not the intended recipient, or the sender, has in fact been notified by the agency. Therefore there would be:

  • potential for misuse of any such powers, i.e. failure to notify a party, by Commonwealth, State and Territory criminal law, civil penalty and public revenue enforcement agencies;
  • carriers [includes ISPs] who disclosed the content of communications could be sued by a customer who had not been notified, under the civil remedy provisions of the TIAA and/or TA. In our view carriers should not be placed in the difficult position of having to decide whether to take such a risk or decline to provide the communications the agency claims to have a right to obtain from them.

To resolve the above issues, EFA considers s280(1)(a) of the TA should be amended as proposed in Section 3 hereof.


7.3 Access to communications that are not in the "possession" of the carrier, nor a party to the communication

It appears that the definition of "stored communication" may have created a loophole that may enable agencies to obtain access to communications that are intended (by government policy intent) to be regarded as "stored communications" without a stored communications warrant; and/or may enable Australian based telecommunications service providers to decline to provide communications required by stored communications warrant because the communications do not match the definition of "stored communications".

This is because the definition requires that the communications be held on equipment that is in the "possession" of a carrier, otherwise they are not "stored communications" as defined.

To address this issue, EFA considers item (b) of the definition of stored communication should be amended to state "in the possession or control of a carrier".

An example scenario is that an ISP may make daily or weekly etc backups of communications stored on their system and send the backup tapes/disks to another entity that is not a carrier but is in the business of providing secure off-site storage facilities. We understand some telecommunications service providers use such services with a view to assisting disaster recovery in the event of fire, flood, etc, at their own premises.

The question arises as to what type of lawful authority is necessary if an agency seeks to obtain access to communications held at that storage facility, e.g. with a general search warrant to be executed on those premises. It should be remembered that this type of situation could exist under a State/Territory law/powers. Potential issues in relation to lawful access are more wide ranging than merely in relation to the AFP's, or ASIC's, powers under Commonwealth law.

EFA observes that the term "possession" in Commonwealth laws apparently does not necessarily encompass control in the absence of physical possession. For example, the Crimes Legislation Amendment (Telecommunications Offences and Other Measures) Bill (No. 2) 2004 stated:

"473.2 Possession or control of data or material in the form of data
A reference in this Part to a person having possession or control of data, or material that is in the form of data, includes a reference to the person:
(a) having possession of a computer or data storage device that holds or contains the data; or
(b) having possession of a document in which the data is recorded; or
(c) having control of data held in a computer that is in the possession of another person (whether inside or outside Australia)."

Accordingly, for clarity and certainty, the definition of stored communication should be amended to ensure that where communications are stored and in the control of a carrier, but not in their physical possession, such communications are legislatively regarded as stored communications and therefore cannot be accessed covertly by agencies without a stored communications warrant. As suggested above, item (b) of the definition of stored communication should be amended to state "in the possession or control of a carrier".

In relation to consideration of such an amendment, it may also be pertinent to note that some Australian based telecommunications service providers provide email services/boxes to their customers where the equipment on which the email boxes of the intended recipient is located is owned by, and in the premises of, other companies, including overseas companies. The Attorney-General's Department may wish to consider whether or not, if a stored communications warrant was served on such an Australian based service provider, the service provider would be justified in declining to provide the required access on the grounds that the subject communications do not meet the definition of "stored communications" because they are not "held on equipment that is operated by, and is in the possession of" the Australian based service provider. EFA considers adding "or control" as suggested above would eliminate the potential for such a possibility.


7.4 Type of lawful authority required for agency access to recordings made by a carrier and stored on a carrier's equipment

EFA has previously raised the question of whether a copy of a communication, for example copies made by recording onto back up tapes/disks for disaster recovery purposes, is encompassed within the definition of 'communication'.

We are of the view that the point we have been trying to make may not have been adequately understood and therefore not addressed. For example, the Senate Legislation Committee Report states:

"3.97 EFA suggest that copies of communications stored in a sender's sent box on a carrier's equipment, or communications stored on a carrier's backup device are examples of communications which may be regarded as copies of communications rather than stored communications.
3.98 The Attorney-General's department advised:
A copy of a stored communication accessed by the person on the premises - so any end point of the communication - will not require a stored communications warrant. It is only those communications which are accessed directly from the carrier which will require a stored communications warrant."[3]

It is the issue of a copy being accessed directly from a carrier that EFA seeks to have addressed, not a copy held "at any end point" as referred to above.

EFA remains concerned that it could be argued that when, for example, an ISP makes a recording of a communication (normally of numerous communications) onto a backup tape/disk that what is on that tape/disk is "a copy of a communication" not "a communication" and that as a result access could be obtained with the assistance of the carrier, but without a stored communications warrant, on claimed grounds that the material does not consist of communications, but of copies of communications, and therefore does not meet the definition of "stored communications".

Our concern in this regard is enhanced by the definition of accessing a communication:

6AA Accessing a stored communication
For the purposes of this Act, accessing a stored communication consists of listening to, reading or recording such a communication, by means of equipment operated by a carrier, without the knowledge of the intended recipient of the communication.

The above definition shows that "a communication" and "a recording of a communication" could be regarded as two different things. The issue of concern therefore is what type of lawful authority is necessary for an agency to access, directly from the carrier, "a recording of a communication" that has been made by the carrier (e.g. made lawfully under an exception to the prohibition on access such as backup for maintenance/disaster recovery purposes).

EFA agrees with Recommendation 14 of the Senate Legislation Committee:

"3.107 The Committee recommends that the Bill be amended to ensure that copies of communications can not be accessed without a stored communications warrant."[3]

We had previously recognised that making an appropriate amendment was somewhat problematic due to the definition in the 2006 TI Bill referring to being accessible by the intended recipient. However, an amendment to that definition for other reasons removed that reference.

We therefore now suggest the definition of "stored communication" be amended to state:

"stored communication means a communication (and includes a copy of a communication) that: ..."

We are under the impression such an amendment would be consistent with the government's policy objective, i.e. that it would not change the intent of the existing Act. We also wish to make clear that we are not concerned about for example the AFP misunderstanding the legislation. We are concerned about the multitude of agencies, including State/Territory agencies, that are no longer prevented from accessing stored communications and the potential for carriers to be presented with general search warrants requiring access to "copies" on e.g. backup tapes and carriers, including small ISPs, having to attempt to correctly interpret legislation that in our opinion is insufficiently clear in this regard at present.


7.5 Definition of accessing a stored communication and "record"

We remain of the view that the definition of "record" should be amended so that it applies in relation to, not only an interception, but also accessing a stored communication. This matter is discussed in detail in s3.1.2 of our submission to the Senate Legislation Committee[6]. See also Senate Committee Recommendation 15[3].

We note that this matter was raised during the Committee hearing and Mr Gifford remarked that "This is the first time I have had a chance to have a look at this particular part of the EFA submission. It is certainly something that we are more than open to considering." We had hoped that the reason it was not dealt with before passage of the 2006 Bill was lack of time and that it would be incorporated in forthcoming amendments. However, such an amendment is not included in the exposure draft. If the matter has been considered and deemed not necessary, EFA would appreciate receiving advice of why it is considered unnecessary.


7.6 Inappropriate requirement to notify carriers of remote access to communications during execution of s3L warrant

As the 2006 amendments to the TI Act appear to make clear that the AFP is not prohibited from remotely accessing communications stored on a carrier's equipment when executing a warrant authorising them to search a residence (etc) and computer equipment therein, EFA continues to be of the view (as stated in s6.2.1 of our submission to the Blunn Review[7]) that subsection 3LB of the Crimes Act must be amended to prohibit notification to telecommunications service providers in such circumstances.

In this regard, subsection 3LB states that if "data that is held on premises other than the warrant premises is accessed under subsection 3L(1)" the executing officer must "notify the occupier of the other premises that the data has been accessed under a warrant" as soon as it is "practicable" to do so.

It is totally inappropriate for police to disclose to a telecommunications service provider (the occupier of the other premises) that they have remotely accessed a customer's email under warrant executed at the customer's premises. This type of information about a customer should not be disclosed to the service provider; it is none of the service provider's business.

Amendment to subsection 3LB of the Crimes Act is essential to protect the right of individuals whose premises are searched not to have personal, or any other, information about them unnecessarily disclosed to uninvolved parties by law enforcement agencies.


7.7 Senate Legal and Constitutional Legislation Committee

With regard to the recommendations of the Senate Legal and Constitutional Legislation Committee[3] in relation to the stored communications provisions of the TIA Bill 2006, we observe that a number of those recommendations were substantially similar to recommendations made by EFA. We understand from the Minister for Justice's remarks during the Senate debate that the Committee's recommendations would be further considered by the government with a view to possibly further amendments in the spring sessions.

However, it appears from the exposure draft that the majority of the Committee's recommendations are not to be implemented. EFA hopes that the Attorney-General's Department and/or the Government intends to issue a public response to the Committee Report explaining why the recommendations are, apparently, not being implemented.


8. Conclusion

EFA strongly supports proposed s172 which would satisfactorily resolve the long ongoing issue of whether s282(1) and (2) of the TA might allow disclosure of the contents or substance of a communication, (without a warrant or even certificate).

However, the majority of other proposed changes in relation to interception and access are of major concern to EFA.

As a result, EFA would be unable to support passage of the proposed legislation in its current form.


9. References

1. Exposure Draft of Telecommunications (Interception and Access) Amendment Bill 2007
<http://www.ag.gov.au/www/agd/agd.nsf/Page/Publications_Exposuredrafttelecommunicationsinterception
provisions-February2007>

2. Blunn Report of the Review of the Regulation of Access to Communications, August 2005.
<http://www.ag.gov.au/www/agd/agd.nsf/Page/Publications_Blunnreportofthereviewoftheregulation
ofaccesstocommunications-August2005>

3. Senate Legal and Constitutional Legislation Committee Report and Recommendations, Inquiry into the provisions of the Telecommunications (Interception) Amendment Bill 2006, 27 March 2006.
<http://www.aph.gov.au/senate/committee/legcon_ctte/ti/report/index.htm>

4. Telecommunications (Interception) Amendment (Stored Communications) Bill 2004: Second Reading, 29 November, 2004.
<http://parlinfoweb.aph.gov.au/piweb/TranslateWIPILink.aspx?
Folder=HANSARDS& Criteria=DOC_DATE:2004-11-29%3BSEQ_NUM:65%3B>

5. ACMA Determination of Requirements Certificates under subsections 282(3), (4) or (5), 10 December 1998.
<http://www.acma.gov.au/ACMAINTER.1638528:STANDARD::pc=PC_335>

6. EFA submission to the Senate Legal and Constitutional Legislation Committee, Inquiry into the provisions of the Telecommunications (Interception) Amendment Bill 2006, 12 March 2006.
<http://www.efa.org.au/Publish/efasubm-slclc-tiabill-2006.html#47_19>

7. EFA submission to the Blunn Review of the Regulation of Access to Communications under the Telecommunications (Interception) Act 1979, 20 May 2005.
<http://www.efa.org.au/Publish/efasubm-agd-tiactreview2005.html#05_15>


10. About EFA

Electronic Frontiers Australia Inc. ("EFA") is a non-profit national organisation representing Internet users concerned with on-line rights and freedoms. EFA was established in January 1994 and incorporated under the Associations Incorporation Act (S.A.) in May 1994.

EFA is independent of government and commerce, and is funded by membership subscriptions and donations from individuals and organisations with an altruistic interest in promoting online civil liberties. EFA members and supporters come from all parts of Australia and from diverse backgrounds.

Our major objectives are to protect and promote the civil liberties of users of computer based communications systems (such as the Internet) and of those affected by their use and to educate the community at large about the social, political and civil liberties issues involved in the use of computer based communications systems.

EFA policy formulation, decision making and oversight of organisational activities are the responsibility of the EFA Board of Management. The elected Board Members act in a voluntary capacity; they are not remunerated for time spent on EFA activities. The role of Executive Director was established in 1999 and reports to the Board.

EFA has long been an advocate for the privacy rights of users of the Internet and other telecommunications and computer based communication systems. EFA's Executive Director was an invited member of the Federal Privacy Commissioner's National Privacy Principles Guidelines Reference Group and the Research Reference Committee (2001) and the Privacy Consultative Group (2004-2005). EFA participated in NOIE's Privacy Impact Assessment Consultative Group relating to the development of a Commonwealth Government Authentication Framework (2003), Centrelink's Voice Authentication Initiative Privacy Impact Assessment Consultative Group (2004-2007), the ENUM Discussion Group and Privacy & Security Working Group convened by the Australian Communications and Media Authority ("ACMA" formerly ACA) (2003-2007), and the ACA's Consumer Consultative Forum meeting (April 2005). EFA has presented written and oral testimony to Federal Parliamentary Committee and government agency inquiries into privacy related matters, including amendments to the Privacy Act 1988 to cover the private sector, telecommunications interception laws, cybercrime, spam, etc.