Submission
20 May 2005
Review of the Telecommunications (Interception) Act 1979
Below is a copy of EFA's submission to the C'th Attorney-General's Department's Review of the Regulation of Access to Communications under the Telecommunications (Interception) Act 1979.
Contents:
- Executive Summary
- Introduction
- Policy Objectives of the TI Act
- Email, SMS and Voice Mail Communications
- Protecting the privacy of users of the Australian telecommunications system
- Review of Current Access to Email, SMS and Voice Mail Communications
- Access with search warrant executed at telecommunications services providers' premises
- Access from Warrant Premises to Remotely Stored Communications
- Access by other means: "as authorised or required by law"
- Broad Secondary Use and Disclosure
- Lack of Requirements to Destroy Irrelevant Information
- Insufficient Reporting Requirements
- Policy Options for Achieving the TI Act Objectives
- Regulation of Access to Communications
- "Highly Transitory" Communications
- Internet Browsing
- Conclusion
- References
- About EFA
1. Executive Summary
-
The Telecommunications (Interception) Act 1979 ("TI Act") does not adequately achieve its primary objective of protecting the privacy of individuals who use the Australian telecommunications system. This is particularly so in relation to the privacy of individuals who use new telecommunications technologies such as email, SMS and voice mail to communicate.
-
The TI Act should be amended in a way that is more akin to the general policy intent of the Telecommunications (Interception) Amendment Bill 2004 ("the First 2004 Bill") which was to increase privacy protection for users of email, SMS and voice mail communications.
-
The primary problem that became apparent with the First 2004 Bill (i.e. difficulty of knowing with certainty whether a communication had been read/accessed by the intended recipient) is not a valid or justifiable reason for completely excluding communications that are delayed and temporarily stored during passage from protection by the TI Act. Rather the problem demonstrates that, in light of new telecommunications technologies, a new approach to achieving the original policy objectives of the TI Act must be found and implemented.
- The covert surveillance nature of search/seizure of individuals' communications at telecommunications service providers' premises is vastly more open to misuse and abuse than execution of a search warrant at an individual's own premises. Accordingly use of "some other form of lawful authority, such as a search warrant" (something other than an interception warrant) at telecommunications service providers' premises to access content of communications should not be permitted unless markedly more appropriate safeguards and controls are put in place than currently exist.
-
All communications that are being, or have been, carried over a telecommunications system should be afforded protection of the TI Act while they remain stored on a telecommunications service provider's equipment. We believe such a policy approach is the only means of providing certainty in relation to means of lawful access by government agencies and appropriate protection for the privacy of individuals who use the telecommunications system.
-
A "stored communication" should be defined as a communication that is being, or has been, carried on a telecommunications system and is stored on a (telecommunications) carriage service providers' equipment ('equipment' as defined in the TI Act), but does not include a VOIP or other highly transitory communication.
-
Access to communications stored on a telecommunications service provider's equipment should not be permitted except under authority of a warrant issued for that specific purpose by a Judge of a Federal Court or State/Territory Supreme Court or a nominated member of the AAT.
-
A new type of warrant (e.g. a "stored communications warrant") should be created for the specific purpose of authorising access to communications stored on a telecommunications service provider's equipment. Appropriate provisions regulating issue and use of a new warrant and related use and disclosure of seized communications should be inserted into the TI Act and access under authority of such a warrant made an exception to the prohibition on interception.
-
As a less acceptable alternative, new special purpose Commonwealth and State/Territory warrants should be introduced, including provisions requiring notification to persons, or that a Public Interest Monitor be involved in issue of warrants and monitoring of execution of same. The TI Act should include provision for State/Territory warrants that are substantially the same as the proposed new Commonwealth warrant (and are only able to be issued by a person who is a Judge of a Supreme Court) to be named in the TI Act as an exception to the prohibition on interception at the request of a relevant State/Territory Government.
-
Civil penalty enforcement and public revenue agencies should not be permitted to obtain stored communications from telecommunications service providers unless they have obtained the same warrant (by providing the same information and satisfying the same issuing requirements and conditions) as criminal law enforcement agencies would be required to obtain in the same circumstances.
-
Apparent uncertainty concerning whether agencies such as ASIC are currently permitted to issue their own compulsory notices to produce to telecommunications service providers to obtain other people's communications should be addressed and amendments made to the Telecommunications Act 1997 to ensure it is clear that such agencies are required to obtain a warrant.
-
The preservation of legal professional privilege should be a matter required to taken into consideration in the issue and use of warrants executed at telecommunications service provider's premises for the purpose of obtaining stored communications.
-
If, in future, "named person" interception warrants are to be available to authorised interception agencies for accessing "stored communications" as well intercepting telephone calls, the interception warrant provisions must be amended to require the issuer to consider matters relevant to accessing stored communications.
-
The TI Act should be amended to restore the pre-existing restrictions on access/interception by telecommunications service provider employees.
-
Employers should not be prohibited from using human review to manage the security of their own internal systems/networks.
-
Subsection 3LB of the Crimes Act 1914 (C'th) must be amended to prohibit notification to telecommunications service providers in circumstances where police have remotely accessed a customer's email under a warrant executed at the customer's premises.
-
The Crimes Act 1914 (C'th) Part 1AA warrant must be amended to ensure its references to "data" cannot be interpreted as authorising copying and seizure of the entire contents of an ISP's mail server/hard drive (or any other hard drives associated with the carriage of telecommunications) merely because one or some customers' email might constitute evidentiary material.
-
Agencies should not be permitted to use seized equipment or information after removal of same from warrant premises (e.g. under a Crimes Act Part 1AA warrant) to remotely access stored communications without specific authority from a judicial officer containing similar safeguards and controls as apply in the case of interceptions warrants.
-
Amendments to the Telecommunications Act 1997 concerning content of communications would be essential if the TI Act is not amended to protect, and regulate access to, all stored communications. Amendments that would be essential include, but are not limited to, items (t) to (x) below.
-
Section 280 of the Telecommunications Act 1997 (disclosures authorised by law) must be amended so that stored communications have more protection from disclosure than postal mail, not less protection as is the case at present.
-
Section 282 of the Telecommunications Act 1997 must be amended to unambiguously ensure that the content or substance of communications is not permitted to be disclosed by way of a request from government agencies under Sections 282(1) and (2).
-
All secondary use/disclosure provisions of the Telecommunications Act 1997 must be amended in a manner that ensures the content or substance of a communication is only permitted to be used or disclosed for the same purpose as the purpose for which the original disclosure was made by the telecommunications service provider.
-
The Privacy Act 1988 should be amended to include a requirement to destroy personal information and content of communications of third parties that is obtained from collection of stored communications under warrant or any other form of authorisation that is not directly related to and necessary for the purpose for which the warrant or other authorisation was issued.
-
The Telecommunications Act 1997 should be amended to require, at a minimum, disclosure reports to show the number of disclosures involving content of communications, including the section authorising such disclosure and the names of government agencies/departments to whom disclosures were made. It should also require the Minister to issue a report annually concerning disclosures of information, including the effectiveness of such disclosures in combatting crime, that is, similar to reports required to be issued in accord with Part IX Division 2 of the TI Act.
- The ambiguity and resultant lack of clarity between the TI Act and the Surveillance Devices Act 2004, in relation to highly transitory communications such as a "live" text based chat session, should be addressed through legislative amendments to either Act so that the law is clear to both law enforcement agencies and users of the telecommunications system.
2. Introduction
01. EFA welcomes the opportunity to make a submission to the Review of the Regulation of Access to Communications under the Telecommunications (Interception) Act 1979[1].
02. In our view, the Telecommunications (Interception) Act 1979 ("TI Act"), as amended by the Telecommunications (Interception) Amendment (Stored Communications) Act 2004 ("TIA(SC) Act"), does not adequately achieve its primary objective of protecting the privacy of individuals who use the Australian telecommunications system. This is particularly so in relation to the privacy of individuals who use new telecommunications technologies such as email, SMS and voice mail to communicate.
03. While we recognise that the TIA(SC) Act was considered to be urgently necessary to address operational concerns of the Australian Federal Police ("AFP"), it also went far beyond those needs in completely removing "stored communications" including communications temporarily delayed during passage from the coverage of the TI Act. It opened up access to private, confidential and/or privileged communications to a vast range of Commonwealth and State/Territory government agencies and private litigators. It is of even greater concern that this occurred without implementing appropriate accountability, record-keeping, reporting and auditing provisions and without surety of prohibition (if any) on secondary (subsequent) uses and disclosures of communications.
04. We submit that the amendments made by the TIA(SC) Act should be repealed, or at least allowed to expire in December 2005 in accord with the sunset clause. The pre-existing TI Act should be amended in a way 05. that is more akin to the general policy intent of the Telecommunications (Interception) Amendment Bill 2004 ("the First 2004 Bill") which was to increase protection for email, SMS and voice mail communications.
06. We believe issues raised about particular provisions of the First 2004 Bill can be addressed by more appropriate means than the broad brush approach of the TIA(SC) Act, that is, in a way that achieves the objective of the TI Act to protect the privacy of individuals who use the Australian telecommunications system and also provide appropriate access mechanisms for law enforcement agencies.
3. Policy Objectives of the TI Act
07. The objectives of the Telecommunications (Interception) Act 1979[2] ("TI Act") are as follows:
"Its primary object is to protect the privacy of individuals who use the Australian telecommunications system by making it an offence to intercept communications passing over that system other than in accordance with the provisions of the Interception Act. The second purpose of the Interception Act is to specify the circumstances in which it is lawful for interception to take place." (TI Act Annual Report 2004[3])
08. Currently the TI Act most certainly achieves its second purpose. However, it does not achieve its primary objective of protecting the privacy of individuals who use the Australian telecommunications system.
4. Email, SMS and Voice Mail Communications
09. Currently the TI Act does not adequately, if at all, protect the privacy of users of the Australian telecommunications system who use relatively new telecommunications technologies such as email, SMS, MMS and voice mail messages.
4.1 Analogy with P.O. Box Mail is Inappropriate
10. Some government agencies, in particular the Australian Federal Police ("AFP")[4] and the Australian Securities and Investment Commission ("ASIC")[5], have contended that allowing government agencies to access communications that are temporarily delayed and stored on telecommunications service providers' systems during passage, without an interception warrant, is analogous to agencies' powers to use search warrants to access postal mail in a P.O. Box prior to the mail being collected by the intended recipient.
11. EFA does not, however, consider that it is analogous. In any case, such an analogy is not appropriate in terms of determining public policy because the potential for invasion of individuals' privacy is significantly greater in relation to communications made by email than postal mail sent to a P.O. Box:
- The vast majority of individuals in Australia (i.e. except in remote areas) have a choice about whether they have their postal mail delivered to a P.O. Box or not and whether they send mail to a P.O. Box or not. The same cannot be said for those who wish to use new telecommunications technologies, the nature of which involves temporary delay and storage during transit. Further, P.O. Boxes are primarily used by businesses not by individuals for receiving their personal and private correspondence.
- As ASIC has acknowledged: "the use of a conventional search warrant or notice on an ISP differs from use on a Post Office in that an ISP (unlike a post office) is likely to have records of email which has been previously delivered. This is a unique feature of stored communications which applies neither to postal communications or telephony."[6]
- Individuals who send email have no control whatsoever concerning whether the recipient prefers to keep their received/read messages stored on their ISP's mail server for weeks, months or years rather than downloading messages to their own computer (as do many users of IMAP/webmail services so that, for example, they can access their email from home, office and while travelling). Postal mail is generally not left in P.O. Box for a week, let alone months or years. In addition, when a person make a telephone call, even if the person with whom they are speaking records it, the recording is not stored on a telecommunications service provider's equipment and therefore it is not able to be obtained by government agencies from a service provider.
- When a letter is retrieved by the recipient from a P.O. Box, unlike an email or other telecommunication, a copy of the letter does not/cannot automatically remain in the possession of Australia Post, hence government agencies can no longer obtain the letter from the service provider.
- If an envelope or article has been intercepted at a P.O. Box and opened by a law enforcement agency, the interference is likely to be apparent to the recipient (with regard to articles accidentally damaged during transit, Australia Post is required to notify the recipient of that). No such protection against misuse of government agency powers exists in relation to opening/reading of email; it can easily be read covertly.
12. Furthermore, enactment of the TIA(SC) Act has resulted in email and other electronic communications having even less protection from access/seizure by government agencies than postal mail in a P.O. Box.
4.2 Currently less protection than Australia Post P.O. Box Mail
13. At present, postal mail awaiting collection in an Australia Post P.O. Box receives more protection from 'interception' (i.e. primary disclosure) and also more protection from secondary (subsequent) use and disclosure than email, SMS and voice mail messages that are temporarily delayed during passage and stored on a telecommunications service providers system/equipment. The comparative situation regarding primary disclosure is set out in Section 6.3.1 below and regarding secondary disclosure in Section 6.4 below.
4.3 Comparison with Other Countries
14. The amendments made by the TIA(SC) Act stand in stark contrast to recent legislative amendments in comparable countries which increased, not decreased, the protection for written communications such as email and postal mail.
15. In the United Kingdom, in 2000 the coverage of interception legislation[7] was extended to protect communications in writing including postal mail in transit. An interception warrant is required to intercept email (and other electronic written communications) and postal mail in transit. In relation to communications that remain stored on a telecommunications service providers' equipment after they have been received by the intended recipient, police in the U.K. are not permitted to use a normal search warrant to access/obtain same. They are required to apply to a circuit judge for a special production order which requires consideration of additional matters in relation to whether or not access should be permitted. More detail is provided in Section 8.2.2.
16. In New Zealand, in 2003 interception legislation[8] was extended to protect private communications in written form. Previously it only covered private oral communications. The N.Z. legislation does not distinguish between delivered and undelivered stored communications, nor does it appear to deal with the matter of when a delayed and stored communication ceases to be in transit. It seems plain however that undelivered stored communications cannot be intercepted by law enforcement agencies without an interception warrant.
5. Protecting the privacy of users of the Australian telecommunications system
17. The TIA(SC) Act removed the protection for communications that are temporarily delayed and stored during their passage over a telecommunications system by, in effect, deeming that communications were no longer passing over the system when stored on telecommunications system equipment pending delivery to or collection by the intended recipient.
18. In addition, we believe the TIA(SC) Act also had the effect of removing protection for communications that remain stored on a service provider's telecommunications system equipment after they have been delivered to or collected by the intended recipient. While arguably such communications were not previously protected by the TI Act, the lack of clarity in that regard combined with the difficulty of knowing whether a message had been read or otherwise accessed by the intended recipient resulted in some, quite probably many, telecommunications service providers declining to provide access to the content of communications unless an interception warrant was provided.
19. For example, Telstra informed the Senate Committee inquiry in June 2004[9] that:
"...Telstra's practice has been to disclose stored communications in accordance with an interception warrant. However, pursuant to the Stored Communications Bill, the interception of stored communications will no longer be prohibited under the Telecommunications (Interception) Act 1979. As a result, Telstra may therefore be required to disclose the content of stored communications to, for example:
- law enforcement agencies in accordance with a search warrant;
- other government bodies with statutory information gathering powers; and
- members of the public, such as private litigants, under subpoena or other court order."
20. Similarly, an Attorney-General's Department representative informed the Senate Committee inquiry in 2002[10] that:
"...the difficulty is that the technology that is actually out there, the way each ISP or each carrier service prior to each carrier works, they find it very difficult to differentiate [between messages that have and have not been downloaded]. So if a law enforcement agency goes up there with a search warrant, they will say, 'Go away and get a telecommunications interception warrant as well.' So the intercepting agencies are having to front up with two forms of warrant for one communication because the carrier cannot differentiate whether or not it has been downloaded onto a person's personal computer."
21. We are of the view that the TI Act should, at a minimum, be amended in a manner intended to achieve a policy objective more akin to the First 2004 Bill. That Bill sought to increase the protection for email, SMS and voice messages by extending the definition of interception to include reading and viewing and ensure communications temporarily delayed and stored during their passage over a telecommunications system remained protected from access/interception unless an interception warrant was obtained.
22. However, given the issues that became apparent during the Senate Committee inquiry into the First 2004 Bill, it is clear that implementing that Bill would result in operational difficulties for law enforcement agencies. It would also not provide certainty to users of the telecommunications system concerning the extent to which their privacy was protected.
23. In our view the primary problem with the First 2004 Bill was that, in effect, it necessitated knowing whether a communication stored on a service provider's equipment had been read or otherwise accessed by the intended recipient in order to determine whether it had completed its passage. In reviewing this issue, we have come to the conclusion that such a dividing line is impractical. Even if currently this could certainly be determined in relation to, for example, an email stored on an ISP's mail server (which is not certain), the same issue may arise with communications software and technologies developed in the future.
24. We do not however consider that the difficulty of knowing whether a communication has been read/accessed by the intended recipient is a valid or justifiable reason for excluding communications that are temporarily delayed and stored during passage from protection by the TI Act. Rather, we consider the problem demonstrates that a new approach to achieving the original policy objectives of the TI Act must be found and implemented.
25. When the TI Act was originally drafted it was not contemplated that communications would be stored either temporarily during passage, or remain stored subsequently, on telecommunications service providers' equipment, as such technology did not exist. However since that time, most of the new telecommunications technology developed (especially with regard to the Internet) has either required or allowed the temporary storage of communications.
26. Accordingly, it has become appropriate to consider whether public policy should afford different levels of privacy protection to communications depending on matters such as whether the communication is a "live" conversation taking place at the time it is intercepted and recorded by a third party, or whether the intended recipient of an email communication is aware, or has had an opportunity to become aware, of the content of an email.
27. In other words, does the content of a communication become less sensitive, or less private, or less confidential, or less privileged, merely because the participants know what it was about? Is a communication less deserving of strong privacy protection merely because the participants are aware of the content of the communication? The answer to those questions may be found in the history of the TI Act concerning transcripts of telephone conversations.
28. It is relevant to recall that the reason for implementation of the existing protections from interception, and associated rigorous safeguards and controls, in relation to telephone calls was not only to protect privacy and confidentiality during a "live" telephone call, but also to protect transcripts of telephone conversations, obtained from both lawful and unlawful interception, from use and disclosure other than for specified permitted purposes.
29. The current rigorous controls and safeguards relating to interception warrants originated from a combination of the illegal interceptions by the NSW police force and so called "Age Tapes" affair[11] which included publication of transcripts of unlawfully intercepted telephone conversations in newspapers; the Stewart Royal Commission of Inquiry into Alleged Telephone Interceptions Report and the resultant recommendations of the 1986 Joint Select Committee on Telecommunications Interception[12] which were included in the Telecommunications (Interception) Amendment Bill 1987[13].
30. EFA considers there is no reason whatsoever to justify less protection for "stored" email conversations than transcripts of telephone conversations. The potential consequences for individuals resulting from access to and/or disclosure of their email communications by third parties are exactly the same as in relation to transcripts of their telephone conversations.
31. The media and anyone else risk criminal prosecution if they publish (i.e. "communicate to another person, make use of") tapes or transcripts of telephone conversations unless they are quite sure the tape or transcript did not originate from either lawful or unlawful interception (TI Act s63(1) and s105). Currently, however, if police officers or other government agency employees leak the content of email, whether lawfully or unlawfully obtained, to the media or any person there is no prohibition on the media or another person publishing the content of the email. The media is exempt from the provisions of the Privacy Act 1988 (and defamation action, even if relevant in a particular instance, is out of the reach of the majority of individuals due to costs). The same situation applies if a telecommunications service provider employee leaks content of email to the media or anyone else. (The secondary use/disclosure restrictions in the Telecommunications Act 1997 do not apply to the media or anyone else who obtains information as a result of an unlawful disclosure by a service provider employee).
32. In our view, all communications that are being, or have been, carried over a telecommunications system should be afforded the overall protection of the TI Act while they remain stored on a telecommunications service providers' equipment. It should be illegal to intercept/access such communications except in accordance with exceptions specified in the TI Act.
33. The existing exceptions applicable to so-called "stored communications", many of which have not even completed their passage over the telecommunications system, should be deleted and new exceptions inserted to provide for lawful access for appropriate specified purposes.
6. Review of Current Access to Email, SMS and Voice Mail Communications
34. The current situation which permits access to so-called "stored communications" in accordance with "some other form of lawful authority, such as a search warrant"[14] (something other than an interception warrant) is fraught with problems that require legislative amendment if the current access policy were to remain.
35. Furthermore, several issues of serious concern have recently come to EFA's attention that to our knowledge were not raised or considered during the two Senate Committee inquiries last year.
6.1 Access with search warrant executed at telecommunications services providers' premises
36. EFA submits that search warrants like the current Crimes Act 1914 (C'th)[15] Part 1AA search warrant are totally unsuitable for authorising access to communications stored on a telecommunications service providers' equipment/premises.
37. Search warrants not only lack all of the safeguards and controls applicable to interception warrants, aspects that have recently come to EFA's attention further demonstrate the unsuitability of such warrants. These include:
- the covert nature of searches at telecommunications service providers' premises;
- legal professional privilege;
- a Crimes Act Part 1AA warrant authorises seizure of a copy of the entire contents of an ISP's email server/hard disk, that is, the email of all of their customers (under the interpretation of the Federal Court in 2004).
38. Those matters are discussed below.
6.1.1 Covert nature of searches at telecommunications service providers' premises
39. The TIA(SC) Act has granted the Australian Federal Police, numerous other Commonwealth, State and Territory government agencies and non-government persons the power to, in effect, engage in covert searches and seizures. This occurs when a search warrant (or other form of lawful authority) is executed on a telecommunications service provider requiring them to provide access to communications of other persons. The individual who is the subject of the search is not required to be notified of the search/seizure of their communications, nor are any non-suspect individuals whose communications are also accessed/seized. From the perspective of the individuals, the search/seizure is covert.
40. Covert searches of the above type are vastly more open to abuse than execution of a search warrant at a suspect's premises. When an individual's home or office is searched by police, the individual is in a position to challenge issue of the warrant or its method of execution etc and/or to lodge a complaint with the relevant ombudsman if they believe the search should not have been conducted etc. This minimises the prospect of police and other agencies misusing search powers. It is extremely unlikely that telecommunications service providers would inform their customer (or any other persons whose communications were accessed) that a search/seizure of his/her communications had been undertaken by police or another agency.
41. While the above situation also applies to interception warrants, the "intrusive and clandestine nature"[16] of interception warrants has long been recognised and, accordingly, the TI Act contains rigorous safeguards and controls designed to prevent misuse.
42. Although covert searches may have previously been able to be undertaken to obtain communications that had completed their passage, the interpretation of the TI Act by some, quite probably many, service providers prevented covert search/seizure without an interception warrant (e.g. Telstra quoted earlier herein).
43. The Act's facilitation of covert search/seizure of communications that have not completed their passage (i.e. have been temporarily delayed and stored during passage) is of even greater concern because such communications may never even be knowingly received by the intended recipient. For example, technical problems with service providers' equipment/systems have resulted in loss/deletion of email communications[17].
44. The AFP does not have authority to conduct covert searches at residential or other premises. They are required to notify the occupier. It is highly inappropriate that the AFP and other agencies are currently permitted to covertly access/obtain the content of individuals' communications from telecommunications service providers merely by notifying the 'occupier' of the service providers' premises without any additional controls and safeguards to offset the covert surveillance nature of the search/seizure.
45. The AFP has previously acknowledged that covert searches are a "sensitive issue" and while they have been seeking the power to conduct convert searches of residential and other premises, such power has not been granted. The situation remains the same as reported in the Senate Standing Committee for the Scrutiny of Bills 2000 Report on the Inquiry into Entry and Search Provisions in Commonwealth Legislation[18]:
"Covert searches5.34 Prior to the passage of the new Part IAA of the Crimes Act 1914, it had been lawful for members of the AFP to conduct searches of premises, under warrant, without first notifying the owner/occupier of the search. The AFP also referred to cases in which police wished to execute a search warrant without the knowledge of an occupier of premises. In such cases, AFP officers would find it useful to be able to enter premises covertly to take photographs or fingerprints or obtain other secondary evidence of criminal conduct.29 This approach was currently prevented by the requirement that an occupier be given a copy of the search warrant and a receipt for any items removed during the search.30 There was also a presumption that an occupier should, if practicable, be present during the execution of a warrant.31
5.35 The AFP proposed that the Act contain a provision which would authorise police to conduct covert searches, under warrant, with the knowledge and authority of the issuing officer, subject to appropriate safeguards.32 Two safeguards suggested included a requirement that the covert search be undertaken in the presence of an AFP member who was independent of the investigation, and notifying the occupier of the details of any covert search once charges were preferred, or an investigation finalised, or the reasons for the investigation remaining covert no longer applied. [emphasis added]
5.36 In advancing this proposal, the AFP noted that this was "clearly a sensitive issue in which the community interest in effective law enforcement must be balanced against individual rights and freedoms".33 [emphasis added]
...
5.48 ...the Committee has reservations about authorising the AFP to conduct covert searches, which, as the AFP itself observes, remains "a sensitive issue" involving a balance between effective law enforcement and the right not to have an otherwise illegal act performed on one's property. It is well to remember the words of the Vice Chancellor, Sir JL Knight Bruce in Pearse v Pearse that:the discovery and vindication and establishment of truth are main purposes certainly of the existence of Courts of Justice; still for the obtaining of these objects, which, however valuable and important, cannot be usefully pursued without moderation, cannot be either usefully or creditably pursued unfairly or gained by unfair means, not every channel is or ought to be open to them - Truth like all other good things, may be loved unwisely - may be pursued too keenly, may cost too much.43...
Recommendations
...
16. While aware that covert searches might make law enforcement easier, the risks are such that the Committee is opposed to recommending such searches.
46. The Government's response[19] to the Committee's report, issued three years later in August 2003 stated in relation to Recommendation 16 above: "Noted. This issue remains under consideration."
47. According to the AFP's testimony to the same Committee during a hearing on 11 March 2005[20], the AFP is still not empowered to conduct convert searches.
48. To our knowledge, no agencies actually sought power to covertly obtain stored communications from telecommunications service providers. Whether or not they did, that too is "clearly a sensitive issue in which the community interest in effective law enforcement must be balanced against individual rights and freedoms"[21]. Currently there is no balance.
49. Use of search warrants at telecommunications service providers' premises to access content of communications should not be permitted unless either rigorous safeguards and controls, or a requirement to notify the subject individual, are legislatively in place. This matter is addressed in Section 8 Regulation of Access to Communications.
6.1.2 Legal professional privilege
50. Searches of the covert nature referred to above unduly infringe legal professional privilege (and also other common law privilege, e.g. Parliamentary privilege).
51. While over-riding legal professional privilege in intercepting "live" telephone calls has been regarded as justifiable because it is largely unavoidable[22], in our view it is not justifiable in relation to accessing communications by way of executing a search warrant at a third party telecommunications service provider's premises.
52. In the case of search warrants executed on an individual's own premises, the individual is generally given the opportunity to be present and have a lawyer present and is entitled to raise legal professional privilege in relation to relevant documents[23]. No such opportunity is available in the case of searches at a telecommunications service providers' premises and the 'occupier' of those premises is certainly not in a position to know whether the stored communications include communications that are the subject of legal professional privilege.
53. Further, we are strongly opposed to civil penalty and public revenue agencies being permitted to serve their own compulsory notices to produce on telecommunications service providers to obtain, in effect seize, other persons' stored communications. While agencies such as ASIC, ACCC, ATO, etc are empowered to serve notices to produce on third parties such as banks and financial institutions, such organisations are unlikely to be in possession of their clients' communications that are privileged between a client and his/her lawyer. However communications between an individual and his/her lawyer are likely to be among communications stored on a telecommunications service provider's equipment, especially in the current situation where agencies are permitted to access communications that have not completed their passage over the telecommunications system. Hence, an individual does not even have an opportunity to collect (delete) privileged communications from the service provider's system/equipment.
54. We are especially concerned by the current situation in relation to compulsory notices to produce issued by e.g. ASIC. For example, as stated in the Senate Legal Committee's July 2004 Report on the TIA(SC) Bill[24]:
"3.33 The representative of ASIC went on to note that in its view, if the Bill was enacted, ASIC would be able to use compulsory notices to access all emails stored at an ISP, whether they had been read or not:'At least some of our compulsory notice powers are quite restricted in terms of what we could require production of, but they do not actually require that an offence has been committed or that we have suspicion that an offence has been committed before we can serve them. ...'"
55. Agencies most certainly should not be permitted to serve their own compulsory notices to produce on telecommunications service providers when there is no suspicion that an offence has been committed as referred to by ASIC above.
56. Furthermore, in our view, the above quotation indicates there is uncertainty in current telecommunications legislation concerning whether or not ASIC is in fact authorised to obtain content of stored communications in the above manner. That uncertainty, which apparently needs to be addressed, is discussed in Section 6.3.1 later herein.
57. We observe that, in relation to the ACCC's compulsory notice issuing powers, the Trade Practices Legislation Amendment Bill (No. 1) 2005[25] inserts a new subsection 155(7B) which states that:
"This section does not require a person to produce a document that would disclose information that is the subject of legal professional privilege."58. and the Explanatory Memorandum states that:
"The insertion of subsection 155(7B) implements recommendation 13.5 of the Dawson Review which stated that section 155 should be amended to ensure that the TP Act does not require the production of documents to which legal professional privilege attaches. The Government endorsed this recommendation because preserving legal professional privilege is in the public interest, as it facilitates the obtaining of legal advice and promotes the observance of the law."
59. We agree that preserving legal professional privilege is important for the above reasons and consider that efforts should be made to preserve same, to the greatest extent possible, in relation to accessing communications from third parties who are telecommunications service providers. We do not consider the general rules in relation to admissible evidence are adequate in that regard. Privileged communications should not be permitted to be seized in the foregoing circumstances in the first place, other than in instances of genuine urgency in connection with serious criminal offences.
60. Although the ACCC's powers referred to above would not require a telecommunications service provider to disclose a customer's or other person's information that is the subject of legal professional privilege, a service provideris not in a position to know whether communications of customers and other persons stored on their equipment includes such communications, therefore they should not be served with such notices.
61. Civil penalty enforcement and public revenue agencies should not be permitted to obtain stored communications from telecommunications service providers unless they have obtained the same warrant (by providing the same information and satisfying the same issuing requirements and conditions) as criminal law enforcement agencies would be required to obtain in the same circumstances.
62. The preservation of legal professional privilege should be a matter required to taken into consideration in the issue and execution of warrants executed at telecommunications service provider's premises. If the stored communications are likely to include communications the subject of legal professional privilege, the communications sought to be seized should be required to be placed in the confidential safekeeping of an independent person and the relevant individual provided with the opportunity to prevent disclosure of any such communications to the agency, by way of liaison with the agency and if that fails by application to the issuer of the warrant.
6.1.3 Seizure of the entire contents of an ISP's email server/hard disk
63. A Federal Court decision in May last year makes abundantly clear that, since enactment of the TIA(SC) Act, a Crimes Act Part 1AA warrant executed at an ISP's premises would authorise executing officers to choose to seize a copy of the entire contents of an ISP's mail server even when there is only one customer whose email might contain evidentiary material.
64. Such seizure would be a gross invasion of the privacy and other rights of all of the ISP's customers and other people who had sent emails to the ISP's customers.
65. In Kennedy v Baker [2004] FCA 562; (2004) 135 FCR 520[26], the Federal Court considered the construction of Section 3L(1A) in relation to a warrant executed by the AFP on behalf of ASIC. The matter involved the seizure of a copy of the entire contents of a computer hard drive when only one document (a single computer file) that might constitute evidentiary material had been identified during forensic analysis of the hard drive. As stated in the Federal Court's Summary accompanying the reasons for judgment, the applicant "argued, in effect, that the subsection only authorised information held in the hard drive that itself fell within the terms of the warrant to be copied. The respondents [ASIC/AFP] argued, in effect, that the subsection treated the information or data held in the hard drive as a single body of information and authorised the copying of that information in its entirety".
66. Following detailed analysis of relevant provisions and the word "data" therein, the Court concluded that "the construction of subs 3L(1A) for which the respondents argued is the correct construction of the subsection". Among other things, the Court was of the view that if the drafters of the Cybercrime Act 2001 (which inserted the relevant provisions) had not intended the provisions to authorise the executing officer to choose to seize a copy of all of "the data" on a computer hard drive, rather than only particular data that might constitute evidentiary material, the word "data" would not have been used in the manner it is.
67. Irrespective of whether or not that was drafters' intent in 2001, it seems extremely unlikely that the drafters or Parliament would have even contemplated, let alone intended, that the provisions would authorise seizure of the entire content of an ISP's mail server hard drive. Material seized would include communications that had been temporarily delayed and stored during their passage over a telecommunications system. The Attorney-General's Department has consistently maintained since at least December 2001[27] that copying of such communications by law enforcement agencies was an illegal interception unless under authority of an interception warrant.
68. However, the TIA(SC) Act removed the interception prohibition resulting in a probably unintended consequence that now a Part 1AA warrant would authorise an executing officer to choose to seize a copy the entire contents of an ISP's mail server instead of only evidentiary material relating to persons suspected of an offence.
69. We observe that new search warrant provisions for the ACCC have been included in the Trade Practices Legislation Amendment Bill (No. 1) 2005[28] and that these provisions, while generally modelled on the Crimes Act Part 1AA warrant, contain differences which appear significant in light of the above mentioned Court interpretation. The provisions appear intended to ensure that only material that is likely to be evidentiary material is authorised to be copied and seized, not the "data" being the entire content of a hard drive.
70. The Crimes Act Part 1AA warrant must be amended to ensure it cannot be interpreted as authorising copying and seizure of the entire contents of an ISP's mail server/hard drive merely because one or some customers' email might constitute evidentiary material.
6.2 Access from Warrant Premises to Remotely Stored Communications
71. A principle reason for enactment of the TIA(SC) Act was to resolve the issue of whether or not the AFP could lawfully use a Crimes Act Part 1AA search warrant, while at a suspect's premises, to access/download email stored remotely on an ISP's mail server by using the suspect's computer/email client to do so, or whether an interception warrant was necessary. The CDPP was of the opinion that Section 3L of the Crimes Act provided authority, while the Solicitor-General was of the opinion that an interception warrant was necessary.
72. The effect of the TIA(SC) Act was to permit the AFP to access telecommunications stored remotely.
73. Recently, related aspects of the Crimes Act 1914 Part 1AA search warrant have come to our attention that to our knowledge have not been previously raised or considered and which we consider require addressing if the practice of remote access to stored communications by the AFP is to be permitted to continue. These are discussed below.
6.2.1 Inappropriate notification of warrant execution to uninvolved persons
74. The TIA(SC) Act has resulted in an apparently unintended consequence of requiring law enforcement agencies to notify an ISP of the fact that a search warrant has been executed at one of the ISP's customer's homes or other premises.
75. Amendments to subsection 3LB of the Crimes Act are essential to protect the right of individuals whose premises are searched not to have personal, or any other, information about them unnecessarily disclosed to third parties by law enforcement agencies.
76. In this regard, subsection 3LB[29] states that if "data that is held on premises other than the warrant premises is accessed under subsection 3L(1)[30]" the executing officer must "notify the occupier of the other premises that the data has been accessed under a warrant" as soon as it is "practicable" to do so.
77. EFA considers s3LB demonstrates that s3L was not intended to authorise remotely accessing "data" that consists of a suspect's (or anyone else's) private communications stored on a telecommunications system. It is totally inappropriate for police to disclose to a telecommunications service provider that they have remotely accessed a customer's email under warrant executed at the customer's premises. This type of information about a customer should not be disclosed to the service provider; it is none of the service provider's business.
78. Subsection 3LB of the Crimes Act must be amended to prohibit notification to telecommunications service providers in the above circumstances.
6.2.2 Use of seized equipment to remotely access communications
79. It is unclear to EFA whether Part 1AA of the Crimes Act, or other powers of the AFP and/or other Commonwealth agencies, would authorise agencies who have seized equipment or information (e.g. copies of computer files or hard drives containing access passwords) to use such equipment/information, after removing same from the warrant premises, to remotely access stored communications.
80. EFA considers agencies should not be permitted to do so without specific authority from a judicial officer containing similar safeguards and controls as apply in the case of interceptions warrants.
6.3 Access by other means: "as authorised or required by law"
81. As a result of enactment of the TIA(SC) Act, content of communications stored on telecommunications service providers' equipment, whether or not the communications has been received by the intended recipient, has become accessible to many Commonwealth, State, and Territory government agencies and other persons under the provisions of the Telecommunications Act 1997[31] ("Telec. Act") which does not provide adequate protection for the content of communications.
82. The Telec. Act was drafted in 1995/96 when email services had only recently become publicly available in Australia and were not widely used. Accordingly, it seems unlikely that drafters would have considered the issue of protection of stored communications and, in any case, it would have seemed such communications were protected from disclosure by the TI Act. Certainly before December 2004, the requirement for an interception warrant under the TI Act over-rode the provisions of the Telec. Act in relation to accessing the content of communications that are delayed and temporarily stored during passage.
83. All stored communications now have less protection from disclosure by telecommunications service providers to government agencies and others, than postal mail has from disclosure by Australia Post and its employees.
84. Content of email, SMS and voice mail communications has become available, for example:
- without a warrant under Section 280(1)(b)[32];
- possibly without even a written request under Sections 282(1) and (2)[33];
- and without a warrant possibly under various other exceptions in Part 13.
85. Sections 280 and 282 are discussed below. (Other exceptions of concern in Part 13 have not been addressed in detail in this submission due to insufficient time available. Briefly, these are sections such as s284 (disclosures to ACA, ACCC and TIO), s291 (disclosures to other carriers or service providers), etc. which were never intended to apply to private communications between members of the public, that is, were not sent to a service provider employee in connection with the provision of service. We also question the original intent of s283 re disclosures to ASIO in that regard.)
6.3.1 Section 280 - Authorised by or under law
86. Section 280 of the Telec. Act states:
"280 Authorisation by or under lawand Section 282(10) states:
(1) Division 2 does not prohibit a disclosure or use of information or a document if:
(a) in a case where the disclosure or use is in connection with the operation of an enforcement agency-the disclosure or use is required or authorised under a warrant; or
(b) in any other case-the disclosure or use is required or authorised by or under law.
(2) In this section:
enforcement agency has the same meaning as in section 282."
"enforcement agency means:
(a) a criminal law-enforcement agency; or
(b) a civil penalty-enforcement agency; or
(c) a public revenue agency."
87. EFA considers Section 280 is far too broad in that allows disclosure of the content of communications to many types of persons in many types of circumstances. The broad term "required or authorised by or under law" obviously includes statutory, judicial and quasi-judicial powers, such as court orders made during the discovery process, summons for witnesses to attend and produce records and subpoenas for documents. In addition, as stated in the ACA's Telecommunications and Law Enforcement Manual[34]:
"Section 280 covers the situation of disclosures being authorised or required under another law... Some agencies ... operate under special legislation which gives them a right to access information. The operation of this legislation might allow for the issue of ... instruments such as 'notices to produce'."
88. Furthermore, it appears Section 280 is not sufficiently clear to provide certainty in relation to disclosure of communications to enforcement agencies that are empowered to issue "notices to produce". In our view, Section 280(1)(a) appears intended to ensure that information cannot be disclosed under Section 280 to enforcement agencies (which is defined to include civil penalty-enforcement agencies) unless they have a warrant. However, it appears that some enforcement agencies may not, or may believe they do not, need a warrant. For example, as mentioned earlier herein, the Senate Legal Committee's July 2004 Report on the TIA(SC) Bill[35] states that:
"3.33 The representative of ASIC went on to note that in its view, if the Bill was enacted, ASIC would be able to use compulsory notices to access all emails stored at an ISP, whether they had been read or not:'At least some of our compulsory notice powers are quite restricted in terms of what we could require production of, but they do not actually require that an offence has been committed or that we have suspicion that an offence has been committed before we can serve them. ...'"
89. Therefore it appears Section 280 requires amendment to provide greater clarity and certainty. Presently a telecommunications service provider would appear justified in declining to provide content of communications in response to a "compulsory notice" on the ground that ASIC is a civil enforcement agency (which is defined to mean "an agency responsible for administering a law imposing a pecuniary penalty") and therefore is required to obtain a warrant. If ASIC or any other agency with similar powers has a different interpretation of the Telec. Act, then an argument between the agency and the telecommunications service provider appears likely to ensue.
90. We also note that Section 280 allows significantly broader use and disclosure of the content of email and SMS communications than is permitted in relation to the content of postal mail. While s280 apparently allows the content of email to be disclosed when merely authorised (not required) by a law of the Commonwealth, States or Territories, postal mail can not be disclosed unless required by a law of the Commonwealth.
91. In this regard, the Australian Postal Corporation Act 1989[36] prohibits use or disclosure of "specially protected" information except for specified purposes. Specially protected information includes information or a document that "is, or relates to, an article, or some or all of the contents or substance of an article, that has been carried by post or is in the course of post" (s90G[37]). Australia Post employees are prohibited from disclosing information or a document that is, or relates to, some or all of the contents or substance of a postal article to government agencies except:
- as required by or under a warrant issued under a law of the Commonwealth or of a State or Territory
- as required by or under a law of the Commonwealth.
- as required by or under specified laws establishing crime/misconduct commissions.
92. EFA considers stored communications should have more protection from disclosure than postal mail, certainly not less as is the case at present.
6.3.2 Section 282 - Certified and Uncertified Requests
93. EFA submits that Section 282 is in need of urgent amendments to unambiguously exclude the use of un-certified requests under Section 282(1) or (2) to obtain/seize the content of communications and ensure a warrant is required. We do not believe these provisions were ever intended to permit disclosure of content at the mere request of a government agency.
94. Section 282 of the Telec. Act permits covert seizure of information about individuals by way of a certified request or an un-certified request (by an officer of a criminal enforcement, civil enforcement or public revenue agency) to a telecommunications service provider.
- Certified Requests
Sections 282(3), (4) and (5)[39] permit government agencies to obtain/seize information and documents about individuals and their communications from telecommunications service providers by making a certified request stating that the disclosure is "reasonably necessary" for the enforcement of the criminal law, or the enforcement of a law imposing a pecuniary penalty, or the protection of the public revenue. A certified request cannot, however, be used to lawfully obtain the content of communications (as stated in Section 282(6)).
- Un-certified Requests
Sections 282(1) and (2)[40] are of greater concern than the above because it is unclear whether or not Sections 282(1) and (2) apply to the content of communications. These provisions permit telecommunications service providers to disclose documents and information about individuals and their communications to government agencies without a warrant or even a written certified request, if the service provider considers the disclosure or use is "reasonably necessary" for the enforcement of the criminal law, or the enforcement of a law imposing a pecuniary penalty, or the protection of the public revenue. The Telec. Act is silent on whether or not Sections 282(1) and 282(2) permit disclosure of the content of communications. While Section 282(6) states that a written certified request can not be used to obtain content of communications, it does not mention the use of un-certified requests in this regard.
95. The Attorney-General's Department acknowledged the possibility of obtaining the content of communications under Section 282(1) and (2) of the Telec. Act (i.e. without a warrant of any type) in their 1999 Report titled Telecommunications Interception Policy Review[41] and this aspect of the Telec. Act has not been amended since the 1999 Report. The Report states:
"Section 4.3 - Access to stored data[42]
...
4.3.11 Access by enforcement agencies to information held by C/CSPs [under the Telecommunications Act] is by means of two primary mechanism, certified and uncertified requests.
4.3.12 Subsection 282(6) of the Telecommunications Act provides that the certificate provisions [also known as certified requests] in subsections 282(3), (4) and (5) do not apply to the contents of a communication whether or not the communication has been received by the intended recipient. [emphasis added]
4.3.13 However, this still leaves the possibility that subsections 282(1) and (2) [un-certified requests] can apply in respect of the content of stored communications. That is, an enforcement agency (including civil penalty-enforcement and public revenue protection agencies) could get access to the contents of a stored communication if the disclosure of the stored communication is reasonably necessary for one of the purposes listed in subsections 282(1) and (2). [i.e. enforcement of a criminal law or a civil law]
4.3.14 The draft ACIF Assistance to Enforcement Agencies Code has had to address this issue. ... Currently Clause 2.7.2 says-
'S282(1) and (2) may authorise disclosure of content and substance. In view of the sensitive nature of the disclosure where content and substance are involved it would be prudent for Organisations (that is carriers and carriage service providers) to obtain legal advice. ...' "[Note: The same Clause 2.7.2 was contained in final industry code issued in 2001 - ACIF C537:2001. However, that Code was de-registered by the Australian Communications Authority[43] in June 2003.]
96. The uncertainty concerning s282(1) and (2) is also apparent in documents issued by the Australian Communications Authority ("ACA"). The ACA's Fact Sheet Internet Service Providers and Law Enforcement and National Security[44] states:
"What about stored communications?
Access to the content of communications (for example, electronic mail) stored on an ISP's server is unlikely to fall within reasonably necessary assistance [i.e. s282(1) and (2)]. An agency may use a general search or interception warrant or some other statutory provision to access stored communications."
97. That the ACA was only able to say "unlikely", even before enactment of the TIA(SC) Act, demonstrates that they, like the Attorney-General's Department, recognise the possibility that s282(1) and (2) might apply in respect of the content of stored communications. Obviously the Telec. Act is insufficiently clear to ensure protection of the content of communications from access/seizure without a warrant.
98. Section 282 was intended to facilitate provision of information such as customer identification details and telephone call charge records, and it is very frequently used for those purposes. However, we understand it is now also used to obtain information such as the source, path and destination of email communications including for example, the date and "To" and "From" details of email messages. In the 2003-2004 year, 408,029 disclosures of information or documents were made to government agencies without a warrant or even certificate (i.e. un-certified requests under s282(1) and (2)) by telecommunications service providers and number database operators. This is 58% of the total disclosures (700,871 ) under Part 13 of the Telec. Act. Certified requests were used in 264,293 instances (38%). Warrants (s280) were obtained in less than 3,745 instances (0.53%). The latter figure includes statutory notices to produce, etc, as well as warrants. (Source: ACA Annual Report 2003-2004[45]). Statistics in the previous few years were substantially similar.
99. Section 282 must be amended to unambiguously ensure that the content or substance of communications is not permitted to be disclosed by way of a request from government agencies under Sections 282(1) and (2).
6.4 Broad Secondary Use and Disclosure
100. The Telec. Act does not afford adequate protection from subsequent (e.g. secondary) use and disclosure for the content of communications that have been lawfully disclosed under that Act.
101. For example, when content of a communication is disclosed under s280 "required or authorised by or under law", then the recipient is also permitted to use or disclose it if the disclosure or use is "required or authorised by or under law" (s297).
102. The above is in stark contrast to the protection afforded to the content of postal mail.
103. When information or a document that "has been carried by post or is in the course of post" has been disclosed "as required by a law of the Commonwealth" (not merely "authorised" and not a law of a State/Territory) in accord with Australian Postal Corporation Act 1989[46] by an Australia Post employee to another person, the other person is only permitted to use or disclose the information or document "for the same purpose as the purpose for which the original disclosure was made" (s90LF[47]). Use or disclosure for any other purpose is prohibited conduct punishable by imprisonment for a period not exceeding 2 years (s90LE[48]).
104. All secondary use/disclosure provisions of the Telec. Act must be amended in a manner that ensures the content or substance of a communication is only permitted to be used or disclosed for the same purpose as the purpose for which the original disclosure was made.
6.5 Lack of Requirements to Destroy Irrelevant Information
105. EFA is highly concerned that there is currently no legislated requirement that government agencies destroy unnecessary or irrelevant personal information and communications, especially in relation to third parties, that they collect as a result of obtaining so-called stored communications. As reported in the Senate Committee's July 2004[49] report:
"3.38 In a supplementary submission to the Committee, the Office of the Federal Privacy Commissioner noted that the Privacy Act 1988 does not require agencies such as the AFP to destroy information about individuals that is not relevant to its functions or activities:The Information Privacy Principles (IPPs) in the Privacy Act 1988 (the Privacy Act) apply to information about individuals handled by most Commonwealth agencies, including the Australian Federal Police (AFP).3.39 The Committee suggests that this issue is considered in the review of the Act."It is important to note in the context of the current Bill that the IPPs do not include a requirement to destroy data that is not relevant to an agency's functions or activities. This is in contrast, for example, to the National Privacy Principles (NPPs) that apply to the private sector (see NPP 4.2). Therefore, information about third parties may be able to be retained indefinitely by an agency.
In light of this, the Committee may wish to consider whether there are adequate existing legislative obligations, in relation to the destruction of unnecessary or irrelevant personal information (for example, that not needed in an investigation), on agencies and others that might be permitted to collect information about third parties from stored communications, if the Bill is enacted.33
106. EFA considers it extremely unlikely that all government agencies who are currently able to obtain copies of email, SMS and voice mail messages are subject to legislated obligations to protect privacy other than the IPPs.
107. We consider the Privacy Act 1988 should be amended to include a requirement to destroy personal information and content of communications of third parties that is obtained from collection of stored communications under warrant or any other form of authorisation that is not directly related to and necessary for the purpose for which the warrant or other authorisation was issued.
108. However, obviously amending the C'th Privacy Act 1988 will have no effect on the problem in relation to irrelevant communications of third parties collected by State/Territory government agencies. Furthermore, privacy legislation covering government agencies does not exist in all States (e.g. Queensland).
6.6 Insufficient Reporting Requirements & Auditing
109. The existing provisions of the Telecommunications Act 1997 lack adequate reporting provisions. The current provisions not only far too readily facilitate "fishing trips" by government agencies, there is no means of knowing whether un-certified requests have been used to seize the content of communications. There is also no means of knowing whether certified or un-certified requests have been used to surveil Internet users by obtaining records identifying information they view, distribute or download.
110. Telecommunications service providers are required to record details of disclosures (s.306) and give a written report about disclosures to the Australian Communications Authority Authority ("ACA") annually (s.308). However, the ACA is not required to monitor compliance with this aspect of the legislation.
111. Furthermore, although Section 50(2)(g) of the Australian Communications Authority Act 1997[50] requires the ACA to include statistical information in its Annual Report[51] relating to the reported disclosures, that information does not provide any indication of whether disclosures under s282(1) and (2) concerned content of communications or other types of information such as telephone call charge records. Also, reporting on disclosures under Section 280 does not distinguish between disclosures involving content of communications and other information. The broadness of Section 280 also creates the problem referred to in the ACA's 2002-2003 Annual report[52]:
"...[public revenue and pecuniary penalty agencies] agencies may request disclosure of customer information using legislative powers other than those specifically provided for in section 282 of the Telecommunications Act, which makes it more difficult for the ACA to monitor the precise number of disclosures relating to the enforcement of pecuniary penalties and the protection of public revenue."
112. The function of monitoring compliance with the law regarding disclosures by service providers is conferred on the Privacy Commissioner (s. 309 Telec. Act) including "whether a record made under section 306 sets out a statement of the grounds for a disclosure; and whether that statement is covered by Division 3 (which deals with exceptions)".
113. However, it is unlikely that the Commissioner's office has undertaken that function since 2001 due to insufficient funding and staffing.
114. In February 2003 the Privacy Commissioner informed a Senate Estimates Committee[53] that due to the number of complaints being received since the commencement in December 2001 of privacy laws covering the private sector, it had been necessary to divert staff from other areas of the office to the complaints area. The Commissioner advised that in the 2002-2003 year his office would undertake only four audits of Commonwealth and ACT agencies and people who fall under the credit provisions of the Privacy Act.
115. In July 2004 the Acting Privacy Commissioner informed the Senate Legislation Committee that:
"the Privacy Commissioner has limited powers under s. 309 of the Telecommunications Act to monitor the compliance of telecommunications service providers with their record keeping obligations under the Telecommunications Act. With the work of the Office of the Federal Privacy Commissioner's compliance section currently focussed on complaint-handling, it is not carrying out audits in a range of areas, including under this provision."
116. Given this situation has existed since 2001, it appears unlikely that the Commissioner's office will be sufficiently well funded and staffed to be able to adequately do so in the foreseeable future. While the recent budget allocates additional funding to the Commissioner's office, it appears this is related to additional functions arising in relation to new/recent Government proposals with privacy impacts.
117. It is essential that monitoring/auditing functions in relation to disclosures under the Telec. Act be undertaken annually, and especially in relation to content of communications. Either the Commissioner's office needs to be adequately funded to do so, or other legislative arrangements need to be put in place to enable and ensure proper monitoring and auditing.
118. Furthermore, the Telec. Act does not require the Privacy Commissioner to report to the Minister, nor the Minister to report to the Parliament, concerning compliance with the privacy and disclosure provisions of the law.
119. EFA considers that the Telec. Act should be amended to require, at a minimum, disclosure reports to show the number of disclosures involving content of communications, including the section authorising such disclosure and the names of government agencies/departments to whom disclosures were made (as are shown in Australia Post's Annual Report concerning disclosures of content of postal mail). It should also require the Minister to issue a report annually concerning disclosures of information, including the effectiveness of such disclosures in combatting crime, that is, similar to reports required to be issued in accord with Part IX Division 2 of the TI Act.
120. In addition, if access to stored communications is to remain widely available under the Telec. Act, this obviously increases the number of disclosures by telecommunications service providers and the cost to them in complying with related reporting obligations. Service providers should be reimbursed for such costs. Their activities in this regard are in connection with law enforcement and accordingly the cost should be borne by the government/public, not by only the customers (in increased service charges) of the particular service providers who happen to be served with warrants or other access/production orders.
7. Policy Options for Achieving the TI Act Objectives
121. As discussed earlier herein, EFA is of the view that all communications that are being, or have been, carried over a telecommunications system should be afforded protection of the TI Act while they remain stored on a telecommunications service provider's equipment. We consider such an approach is the only means of providing certainty in relation to means of lawful access by government agencies and appropriate protection for the privacy of individuals who use the telecommunications system.
7.1 Definition of "interception"
122. The definition of interception should be amended to that proposed in the First 2004 Bill:
6 Interception of a communication
(1) For the purposes of this Act, but subject to this section, interception of a communication passing over a telecommunications system consists of listening toor recording, recording, reading or viewing, by any means, such a communication in its passage over that telecommunications system without the knowledge of the person making the communication.
123. For the avoidance of doubt "reading" should be defined in manner similar to that expressed in the Attorney-General Department's letter to the Senate Committee dated 19 March 2004 which was "reading refers to the human act of reading, and apprehending the meaning of, written words, rather than electronic or mechanical scanning of data".
124. In addition, a new subsection should be inserted in Section 6 substantially the same as the following (which has been copied from the U.K. Regulation of Investigatory Powers (RIP) Act 2000 and some words replaced with equivalents that are already defined in the TI Act):
For the purposes of this Act, the times while a communication is passing over a telecommunications system shall be taken to include any time when the telecommunications system by means of which the communication is being, or has been, carried is used for storing it in a manner that enables the intended recipient to collect it or otherwise to have access to it.
7.2 Definition of "stored communications"
125. A "stored communication" should be defined as a communication that is being, or has been, carried by a telecommunications system and is stored on a (telecommunications) carriage service provider's equipment ('equipment' as defined in the TI Act), but does not include a VOIP or other highly transitory communication.
126. In our view, the "stored communication" definition needs to refer to the carriage service provider's equipment in order to clearly exclude the intended recipient's own equipment on which a communication is finally received because the definition of "carry" in the TI Act includes "receive". An alternative option may be to refer to equipment that is located on the carriage service provider side of the cabling/network boundaries as are defined in the Telec. Act.
7.3 Exceptions to prohibition on access/interception
127. An exception should be inserted, similar to the one in the First 2004 Bill, to ensure that access by the intended recipient or a person authorised by them is not an illegal interception.
128. An exception should also be inserted addressing concerns in relation to use of human reading in protecting organisations' own internal networks from viruses etc and possibly in relation to the AFP remotely intercepting/accessing stored communications when lawfully using an intended recipient's equipment. These matters are discussed later herein.
8. Regulation of Access to Communications
8.1 General Principles
8.1.1 Warrants authorising access
129. EFA is of the strongly held view that access to communications stored on a telecommunications service providers' equipment should not be permitted except under authority of a warrant issued for that specific purpose by a Judge or nominated member of the AAT. The covert nature of searches at telecommunications service providers' premises, as discussed in Section 6.1.1 earlier herein, together with the high potential for invasion of privacy of non-suspect individuals necessitates safeguards and controls greater than those that apply to search warrants executed on a suspect individual's premises.
130. In this regard we observe the Guide To Framing Commonwealth Offences, Civil Penalties And Enforcement Powers[54] prepared by the Attorney-General's Department states:
"9.6 Seizure under warrant
Seizure by warrant, with interim power to secure if necessary
Principle: Seizure should only be allowed under a warrant, even if entry and search without warrant are permitted. Where entry is allowed without warrant, the legislation may provide that items may be secured, pending a warrant application.
Discussion: Seizure is a significant coercive power and the Commonwealth has consistently taken the approach that it should require authorisation under warrant. An example of a power to secure an item while a warrant authorizing seizure is sought can be found in subsection 90-4(2) of the Aged Care Act 1997.
Senate Committee Views: The Scrutiny of Bills Committee has taken the view that seizure should generally only be authorised under a warrant (Report 9/2002 pages 374-75)."
8.1.2 Warrant Issuers
131. We note that AFP's March 2004 submission to the Senate Committee[55] stated that:
"66. Existing search warrant accountabilities (eg, application to independent issuing officer, ...) satisfy the Senate Standing Committee's principles as recommended in their report."132. We also note, in relation to independent issuing officers, that the Senate Standing Committee stated in their report that:
"1.48 ...The power to issue warrants to enter and search premises should only be conferred on judges and magistrates (judicial officers); justices of the peace should not have this power, nor should a Minister or departmental officer." [emphasis added]
133. However, numerous existing search warrants can be issued by justices of the peace and/or by departmental officers, under specific search warrant legislation and under other legislation that provides particular agencies with search powers. A few of the numerous examples are:
- in Tasmania, an "issuing officer in relation to a warrant to search premises, means a justice of the peace but does not include a magistrate" (Search Warrants Act 1997 (Tas) s 3) [emphasis added].
- in Queensland, an application for a search warrant can be made to "any justice", which includes a justice of the peace (Police Powers and Responsibilities Act 2000 (Qld) s 68(2)).
- in NSW, search warrants can be issued by "a person who is employed in the Attorney General's Department" and who has been declared by the Minister to be an "authorised justice" (Search Warrants Act 1985 (NSW) s 3).
- A C'th Crimes Act warrant can be issued by "a justice of the peace or other person employed in a court of a State or Territory who is authorised to issue search warrants or warrants for arrest, as the case may be" (Crimes Act 1914 (C'th) s 3c)
134. Search warrants can also be issued by persons who may be biased against giving adequate consideration to privacy issues connected with uninvolved third parties, such as officers of government departments responsible for regulatory outcomes. As discussed at some length in the Senate Standing Committee's Report, a considerable number of Commonwealth, State and Territory government agencies have power to issue search warrants to their own staff, and some have other statutory authority to conduct searches without a warrant from a judicial officer.
135. EFA is of the strongly held view that no government agencies or any other entities/persons should be permitted to obtain the content of communications from telecommunications service providers without, at the least, a warrant for that specific purpose issued by a Judge of a Federal Court or a Judge of a State/Territory Supreme Court or a nominated member of the AAT.
8.1.3 Notification to Subject Individuals unless Rigorous Controls/Safeguards
136. EFA is strongly opposed to government agencies being permitted to, in effect, covertly access the content of communications stored at telecommunications service provider's premises. In our view this should not be permitted unless it is done either:
- under authority of a warrant involving the same controls and safeguards against misuse of powers as interception warrants; or
- under legislated conditions requiring notification of the search and/or seizure to, at the least, persons who are the subject of the warrant (see further below); and/or
- a Public Interest Monitor is involved in the grant of all warrants and also has monitoring role in relation to execution of same (see further below).
137. In relation to interception warrants, the 1994 Barrett Report recommended that:
'agencies should be required to notify any innocent person whose telephone service has been intercepted of the fact of interception within a period of 90 days of the cessation of the interception. If this proposal is not accepted, agencies should be required to maintain a register of incidents where the telephone service of an innocent person has been intercepted; the register should be made available to the relevant inspecting agency for inspection and report to the Attorney General'.138. and stated that:
'the objectives of the [notification] requirement would be two-fold - to enhance the privacy protection for innocent persons and to impose an added discipline on law enforcement agencies to exercise great care in deciding whether to apply for warrants.'[56]
139. While the then government did not accept the notification recommendation, the TI Act was amended in 1995[57] with provisions establishing "a new special register with details of warrants which do not lead, directly or indirectly, to a prosecution" which the government considered would "provide a similar level of protection against misuse".
140. The special register provisions still exist as a protection against misuse of interception powers, however currently there are no protections against misuse of, in effect, covert search powers at telecommunications service providers' premises.
141. We also note that the Senate Scrutiny of Bills Committee Report[58] states that the AFP, in seeking power to conduct covert searches at premises, suggested safeguards which included a requirement of "notifying the occupier of the details of any covert search once charges were preferred, or an investigation finalised, or the reasons for the investigation remaining covert no longer applied".
142. EFA considers that individuals who have been the subject of covert surveillance by way of accessing their communications at a telecommunications service providers premises should be notified of the details of that covert search/surveillance.
143. A Public Interest Monitor should be involved in the granting of warrants, especially if it is not required that individuals be notified.
144. Such a role should include functions similar to the Queensland Public Interest Monitor which include, among other things, to appear at any hearing of an application for a surveillance warrant or covert search warrant to test the validity of the application, and for that purpose at the hearing:
"(i) present questions for the applicant to answer and examine or cross-examine any witness; and
(ii) make submissions on the appropriateness of granting the application;
and
(c) to gather statistical information about the use and effectiveness of surveillance warrants and covert search warrants; and
(d) whenever the public interest monitor considers it appropriate--to give to the commissioner a report on noncompliance by police officers with this part."
(Queensland Police Powers and Responsibilities Act 1997, Section 159[59])
145. In addition, Public Interest Monitors' functions should include a role in relation to monitoring execution of warrants including the extent of collection of irrelevant communications of the suspect and of non-suspects and whether such privacy intrusions significantly outweigh the collection of communications relating to criminal conduct.
8.1.4 State/Territory Government Agencies
146. During the past three years, some commentators argued that communications temporarily delayed and stored during passage should no longer be protected by the TI Act because some State/Territory criminal law enforcement agencies do not have interception powers. For example, the AFP's March 2004 submission[60] referred to the Queensland Police in that regard as a reason for opposing the First 2004 Bill which would have retained the TI Act protections for telecommunications that are temporarily delayed and stored during passage.
147. It should be recognised however that the reason Queensland Police do not have the power to obtain an interception warrant is because the Queensland Government is of the view that the safeguards and controls of the C'th TI Act are not sufficient. As stated by the Queensland Premier in Queensland Parliament:
"In relation to using telephone interception for fighting terrorism, ... [t]he joint QPS-AFP [counterterrorism] team would have very ready access to the AFP's phone tapping capacity if terrorism activity were to unfold in Queensland. So when it comes to terrorism there is no problem about QPS access to telephone intercepts capacity - no problem whatsoever....we in Queensland cannot introduce telephone interception powers with...appropriate safeguards such as the PIM - that is, the Public Interest Monitor. This is because the Telecommunications (Interceptions) Act 1979...would trump any state legislation that was inconsistent with it, including providing for modifications of the warrant applications system such as PIM. Therefore, the Queensland government cannot constitutionally institute safeguards like the PIM into the telecommunications interception application process. This can only be achieved by amendment to the Commonwealth legislation. We have not released this publicly but I will share it with the member: the state Attorney-General has written to the Commonwealth about this matter at my request asking whether the Commonwealth would consider amending the legislation to enable states to introduce additional safeguards in the warrant application process. " (Queensland Hansard, 12 May 2004)
"The Queensland Government has consistently insisted we will grant no interception powers unless and until they are covered by appropriate safeguards such as the Public Interest Monitor. Constitutionally, the Commonwealth must first amend legislation. We have been talking to the Commonwealth but obviously these talks are on hold during the caretaker period." (Queensland Hansard, 30 Sep 2004)
148. Similarly, the Tasmanian Police have not had interception powers because the Tasmanian Government chose not to provide such powers to Tasmanian Police. While the Tasmanian Parliament enacted Tasmanian interception legislation in 1999, that legislation did not fully comply with requirements of the C'th TI Act. It was not until five years later in September 2004 that the Tasmanian Government introduced the minor technical amendments to the 1999 legislation necessary to comply with the C'th TI Act. We assume the Tasmanian Police would have become authorised to obtain interception warrants since September 2004.
149. Hence, arguments that temporarily delayed and stored communications should be excluded from coverage of the TI Act because some police do not have interception powers are extremely weak. The only reason they do not have, or did not have, such powers is because the relevant State/Territory Governments have chosen not to so empower their police services.
8.2 Regulation of Access by Criminal Law Enforcement Agencies
8.2.1 Existing Interception Warrants
150. It is not clear to EFA how interception warrants have, in the past, operated in practice for the purpose of obtaining copies of "stored" communications (whether or not received by the intended recipient) from telecommunications service providers.
151. However, it appears there may be some unnecessary practical difficulties for law enforcement agencies and telecommunications service providers that could be addressed and resolved.
152. For example, there have been indications during Senate Committee inquiries[61] to the effect that authorised interception agencies who wanted access to communications that were temporarily stored during transit, and also those no longer in transit, may have been finding it necessary to present an interception warrant to access the former and also a search/seizure warrant to access the latter.
153. Whether or not two warrants were previously necessary, it appears to us that since passage of the TIA(SC) Act an authorised interception agency obtaining a named person interception warrant would not be able to use that warrant to access the named person's "stored communications", that is, it appears they would need two warrants. Since stored communications have been excluded from the protection of the TI Act, access to same is not an unlawful interception and therefore it seems an interception warrant cannot authorise something that is not otherwise unlawful under that Act, that is, access to stored communications. Some "other form of lawful authority, such as a search warrant" is necessary.
154. If existing interception warrants will in future be used to access "stored communications", the interception warrant provisions should be amended to provide:
- that an applicant seeking authority to intercept/access communications that will be received after the interception warrant is issued, as well as to access communications that have previously been received and stored, must so inform the warrant issuer; and
- the warrant issuer must take into consideration the potential privacy invasion of uninvolved persons arising from the fact that the previously stored communications may include communications that have been sent by non-suspect individuals as well as the suspect over a much longer period than the maximum 90 days for which an interception warrant can be issued, and that the warrant issuer may include warrant conditions limiting access to such stored communications; and
- that access to stored communications is authorised only in relation communications sent by, or received by, specified telecommunications service/s (e.g. an email account address) or named person/s.
8.2.2 Other Warrants Authorising Access to Stored Communications
Option A: Implement stored communications warrant provisions in TI Act
155. We consider that a new type of warrant (e.g. a "stored communications warrant") should be created for the specific purpose of authorising access to communications stored on a telecommunications service providers' equipment. Appropriate provisions regulating issue and use of a new warrant should be inserted into the TI Act and access under authority of such a warrant made an exception to the prohibition on interception.
156. This proposal is based on similar provisions under U.K. law which, as stated in the Explanatory Notes[62] to the U.K. Regulation of Investigatory Powers Act 2000[63], "cover circumstances where, for example, a person has been arrested in possession of a pager, and the police have reason to believe that the messages sent previously to that pager may be of assistance in the case. In this case they would be able to seek from a circuit judge an order under Schedule 1 to the Police and Criminal Evidence Act 1984 for the stored data to be produced".
157. The U.K. Police and Criminal Evidence Act 1984 ("PACE") does not allow use of a general search and seizure warrant to obtain "excluded material" or "special procedure material" for the purposes of a criminal investigation. "Special procedure material" includes, among other things, material acquired or created in the course of any trade, business, profession or other occupation which is held subject to an express or implied undertaking to hold it in confidence. It includes for example, a person's financial records held by a bank, and communications that remain stored on a telecommunications service provider's equipment after they have been received by the intended recipient. In order to obtain/access special procedure material, police are required to make an application to a circuit judge for a PACE Schedule 1 production order or search/seizure warrant, issue of which requires that the judge to be satisfied in relation to a number of matters that are not required to be considered in granting of general search/seizure warrants.[64]
158. The TI Act should include provisions relating to a warrant (e.g. a "stored communication warrant") that are substantially similar to the following.
- Issuers of Warrants:
159. In our view "stored communication warrants" should only be able to be issued by persons eligible to issue interception warrants under the TI Act. However, if this is considered to be impractical, for example, if there is an insufficient number of such persons willing or available in some States/Territories to issue warrants, then arrangements should be made to enable persons who are Judges of a State or Territory Supreme Court to issue a warrant in accordance with "stored communication warrant" provisions in the TI Act.
- Issuing Conditions:
- In relation to Class 1 and Class 2 offences, that a warrant may be issued only if there are reasonable grounds for suspecting that "a particular person" is using, or is likely to use, the service (e.g. email account or mobile phone account) and that obtaining the 'stored communications' would be likely to assist in connection with the investigation of an offence "in which the person is involved" (i.e. the same as interception warrants); and
- In relation to Class 1 offences, that the warrant issuer is required to have regard to the same matters as for a Class 1 interception warrant.
- In relation to Class 2 offences, that the warrant issuer is required to have regard to the same type of matters as for a Class 2 interception warrant, for example:
(a) how much the privacy of any person or persons would be likely to be interfered with by accessing, and/or seizing copies of, the 'stored communications' including, but not limited to, the fact that the stored communications may include communications that have been sent, received and stored during past months and years, and that the warrant issuer may include warrant conditions limiting access to stored communications;
(b) the gravity of the conduct constituting the offence or offences being investigated;
(c) how much the 'stored communications' would be likely to assist in connection with the investigation by the agency of the offence or offences;
(d) to what extent methods of investigating the offence or offences that do not involve accessing 'stored communications' at a third party/service provider's premises have been used by, or are available to, the agency;
(e) how much the use of such methods would be likely to assist in connection with the investigation by the agency of the offence or offences; and
(f) how much the use of such methods would be likely to prejudice the investigation by the agency of the offence or offences, whether because of delay or for any other reason.
- In relation to Class 1 offences, that the warrant issuer is required to have regard to the same matters as for a Class 1 interception warrant.
- In relation to offences that are not Class 1 or Class 2 offences, that warrants may be issued:
- in relation to indictable offences and Commonwealth civil penalty offences of the type investigated by e.g. ASIC, ACCC and ATO; when
- there are reasonable grounds for believing that a particular person is using, or is likely to use, the service (e.g. email account or mobile phone account) to which the stored communications relates; and
- there are reasonable grounds for believing that the stored communications are likely to include evidential material that is likely to be of substantial value (whether by itself or together with other material) in connection with an offence in which the particular person is involved; and
- in determining whether a warrant should be granted, the warrant issuer should be required to have regard to matters such as the below:
- how much the privacy of any person or persons would be likely to be interfered with by accessing, and/or seizing copies of, the 'stored communications' including, but not limited to, the fact that the stored communications may include communications that have been sent, received and stored during past months and years, and that the warrant issuer may include warrant conditions limiting access to stored communications;
- whether the communications or documents sought can be identified or described with sufficient particularity, whether by date range, or the content of e.g. 'To' and 'From' fields in email messages, or any other means, in order to minimise the privacy intrusion involved in accessing/seizing communications that may have been stored over many months or years;
- whether the stored communications are likely to include communications the subject of legal professional privilege, and if so whether communications sought to be seized should be placed in the confidential safekeeping of an independent person and the relevant individual provided with the opportunity to prevent disclosure of any such communications to the agency, by way of liaison with the agency and if that fails by application to the issuer of the warrant;
- the nature of the offence in respect of which the warrant is sought;
- the gravity of the conduct constituting the offence in respect of which the warrant is sought;
- to what extent methods of obtaining the evidential material that do not involve accessing 'stored communications' at a third party/service provider's premises are available to the agency;
- whether such other methods of obtaining the evidential material:
- have been tried but have failed; or
- have not been tried because it appeared that they were bound to fail; or are likely to be too dangerous to adopt in the particular case; - the evidentiary value of any evidence sought to be obtained.
- Applicants for a Warrant:
160. Criminal law enforcement agencies/crime commissions that are currently authorised to obtain an interception warrant should also be authorised to apply for a "stored communication warrant".
161. Other State/Territory criminal law enforcement agencies (i.e. those that are not currently authorised to obtain interception warrants) should not permitted to obtain a "stored communication warrant" until/unless the relevant State/Territory Government requests the Commonwealth Government to make such warrants available to them. Such State/Territory agencies have not been permitted to access temporarily delayed and stored communications (except during the current twelve month operation of the TIA(SC) Act) and there is no indication, let alone evidence, that the relevant Governments consented to this automatic expansion of their police officers' powers. It should be recognised that, for example, the Queensland Government has intentionally not granted Queensland police the power to obtain interception warrants because the Government is of the view that the safeguards and controls of the TI Act are not sufficient.
- Safeguards and Controls:
162. All of the safeguards and controls applicable to interception warrants should also be implemented in relation to "stored communication warrants" except those that are not relevant to accessing stored communications, e.g. notification to the AFP for arranging a telephone call interception line etc.
163. If the same safeguards and controls are not implemented, then it would be essential to include, in the TI Act, provisions requiring either notification to persons (at the least the subject of the warrant), or the involvement of a Public Interest Monitor in issue of and monitoring execution of "stored communication warrants".
Option B: New special purpose C'th and State/Territory warrants
164. If Option A is not implemented, the following less acceptable alternative would be a considerable improvement on the current access situation.
165. If this option were to be implemented, an essential component would be provisions requiring and ensuring notification to persons, or that a Public Interest Monitor be involved in issue of warrants and monitoring of execution of same.
166. For the reasons detailed earlier herein, we do not consider existing search/seizure warrants to be remotely suitable for execution on a telecommunications service provider's premises.
167. Accordingly we consider that new Commonwealth warrant provisions would need to be created and incorporated in, for example, Part 1AA of the Crimes Act for the specific purpose of authorising access to communications stored on a telecommunications service providers' equipment. Such a warrant should be specified in the TI Act as a means of lawful access, i.e. an exception to the prohibition on interception.
168. The provisions in relation to conditions of issue of such a warrant should be the same as referred to in Option A above.
169. State and Territory Governments should be invited to develop and legislate the same, or at least substantially similar, warrant provisions for their police. The TI Act should include provision for State/Territory warrants that are substantially the same as the proposed new Commonwealth warrant (and are only able to be issued by a person who is a Judge of a Supreme Court) to be named in the TI Act as an exception to the prohibition on interception at the request of a relevant State/Territory Government. Such provisions could authorise the C'th Attorney General to determine that a particular State/Territory warrant is a lawful means of access, that is, a similar process/procedure to the way in which State/Territory law enforcement agencies become authorised to obtain interception warrants after the C'th Attorney General determines that a State's/Territory's interception legislation meets the relevant requirements of the C'th TI Act.
170. However, it would be essential that State/Territory Governments be able to incorporate additional safeguards in their warrant provisions so that, for example, if a government wishes to have their Public Interest Monitor involved in issue of their warrants that does not prevent their warrant becoming a lawful means of access for their police.
171. Reporting and monitoring/auditing provisions would need to be included in the TI Act in relation to stored communications, or the reporting and monitoring/auditing provisions of the Telec. Act would need to be significantly improved in relation to disclosures by telecommunications service providers in response to stored communication warrants.
8.2.3 Related Necessary Amendments to the Telecommunications Act 1997
172. A number of amendments to the Telec. Act are essential whether or not the TI Act is amended in a manner similar to Option A or B of Section 8.2.2 above, or remains the same as currently. However, the particular amendments that would be necessary depend to a significant extent on whether the TI Act is amended and if so the effect of such amendments. It is therefore impractical for us to attempt to detail herein all of the amendments that would, or could, be necessary. Amendments that would be necessary include, but are not limited to, the following:
173. (a) If the TI Act is to amended similar to Option A or B above:
- Part 13 of the Telec. Act would need to be amended to permit disclosure of "stored communications" only as required by a "stored communications warrant" issued under the TI Act or other specific exceptions in the TI Act.
- The TI Act would need to strictly regulate secondary use and disclosure of stored communications, that is, the same as existing provisions concerning secondary disclosure and use of intercepted communications.
- Reporting and monitoring/auditing provisions in relation to disclosure of stored communications would need to be included in the TI Act, or perhaps alternatively could be implemented in the Telec. Act, however the Telec. Act would need to be significantly improved, as discussed under Section 6.6 earlier herein, in relation to disclosures by telecommunications service providers in response to "stored communication warrants" or any other exception permitting disclosure of the content or substance of communications.
- Section 280 of Part 13 of the Telec. Act must be amended to exclude it from being applicable to the content or substance of communications. A new section e.g. "Section 280A" would need to be inserted concerning content or substance of communications which significantly narrows the circumstances in which stored communications may be used and disclosed. Disclosure and use should be prohibited except as required by a warrant issued under a law of the Commonwealth or of a State or Territory or as required by a court order.
- Section 282(1) and (2) of Part 13 of the Telec. Act must be amended to unambiguously prohibit use or disclosure of the content or substance of communications as a result of an uncertified request by a government agency.
- All other exceptions permitting use or disclosure in Part 13 of the Telec. Act must be reviewed and amended to exclude the content or substance of communications.
- Secondary use and disclosure provisions of the Telec. Act must be amended to prohibit subsequent use and disclosure of stored communications except for the same purpose for which it was originally disclosed by a telecommunications service provider.
- Reporting and monitoring/auditing provisions of the Telec. Act must be significantly improved in relation to disclosure of the content or substance of communications by telecommunications service providers, as discussed in Section 6.6 earlier herein.
8.2.4 Access to Remotely Stored Communications by AFP
174. If the AFP is to be permitted to continue remotely intercepting/accessing undelivered communications when conducting a search of an individual's premises under authority of a Crimes Act Part 1AA warrant, then the warrant provisions require amendment as discussed in Section 6.2.
175. While we remain concerned about this type of interception under authority of a search warrant, and would prefer it not be permitted, it is in our view less problematic than covert searches undertaken at an telecommunications service provider's premises, that is, without the knowledge of the intended recipient.
176. Further, if such interception/access is to continue, an express exemption for that purpose should be inserted in the TI Act. Authorising the AFP to intercept in such a manner does not justify removing temporarily delayed and stored communications from the coverage of the TI Act.
177. We also note that in relation to the First 2004 Bill, the AFP recommended that the issue be dealt with by way of an exemption:
"In relation to overcoming the severe operational difficulties that the proposed amendment in item 10 [definition of interception extended to reading and viewing] of the Bill will impose, the AFP remains of the view that where access to a stored communication held remotely is done under the lawful authority of another Act, there should be an express exemption under the TI Act for this purpose. This approach would enable the AFP to secure important evidence in a timely manner, and in a best case scenario, to act quickly in the interests of preventing, for example, a terrorist incident." (AFP's March 2004 subm No. 7a)[65]
178. In relation to State/Territory criminal law enforcement agencies, we do know whether or not any State/Territory search warrants include authority to remotely access "data", nor have we had time to investigate this matter. However, obviously State/Territory governments could grant their agencies such power at any time which may involve the same problem as the current C'th warrant in relation to unnecessary requirements to notify telecommunications service providers and/or without regulations requiring destruction of irrelevant communications of uninvolved third parties, etc. As this appears uncontrollable by the Commonwealth, the TI Act should not include an exception permitting State/Territory agencies to undertake remote interception/access. They should be required to obtain an interception warrant. Hence, if an exception is to apply for remote interception/access by the AFP, it should only apply to the AFP using a Crimes Act Part 1AA warrant.
8.3 Regulation of Access by Civil Penalty Enforcement Agencies and Public Revenue Agencies
179. Commonwealth Government civil penalty enforcement and public revenue agencies should not be permitted to obtain stored communications from telecommunications service providers unless they have obtained the same warrant (by providing the same information and satisfying the same issuing requirements and conditions) as criminal law enforcement agencies would be required to obtain in the same circumstances.
180. These agencies should certainly not be permitted to serve their existing compulsory notices to produce (as discussed in Section 6.1.2 above) on telecommunications service providers for the purpose of obtaining (in effect, seizing) other persons' stored communications. Such 'production' by a telecommunications service provider is a seizure insofar as the individual whose communications are obtained is concerned. As the A-GD's Guide To Framing Commonwealth Offences[66] states: "Seizure should only be allowed under a warrant".
181. State/Territory civil penalty enforcement and public revenue agencies (i.e. government agencies other than criminal law enforcement agencies) are not permitted to obtain the content or substance of postal mail from Australia Post (according to the Australian Postal Corporation Act 1989). If any of these agencies investigate offences necessitating access to the content or substance of communications from telecommunications service providers, access should be regulated in the same way as for the C'th agencies referred to above.
8.4 Regulation of Access by Telecommunications Service Providers
182. The TIA(SC) Act removed the previous protection in the TI Act which prohibited employees of telecommunications service providers from spying on their customers' and other individuals' electronic communications during their passage.
183. The pre-existing protection in that regard was enacted in 1995 in direct response to the Casualties of Telecom cases ("CoT cases") following the AUSTEL inquiry finding that Telecom had intercepted and taped customer telephone calls. Section 7(2) of the TI Act was amended to tighten up the exceptions to the prohibitions on interception by a telecommunications service provider employee, so that such interception is only permitted "where it is reasonably necessary for the employee [to do so] in order to perform [his/her] duties effectively". More information about those 1995 amendments is contained in Senate Legal and Constitutional Legislation Committee's Report on the Telecommunications (Interception) Amendment Bill 1995[67].
184. The current situation in relation to email, SMS and voice mail messages is as stated in the Explanatory Memorandum to the TIA(SC) Act:
"The amendments allow for a stored communication to be intercepted by a person having lawful access to the communication or the equipment on which it is stored. A person may have lawful access to a communication, for example, ... in the person's capacity as a network owner or administrator."
185. It appears the above situation results from the Australian Federal Police having argued that if the stored communications provisions of the First 2004 Bill had been enacted, the AFP's IT staff would be prohibited from reading suspect email arriving on the AFP's mail server to see if it was spam or contained a virus etc before allowing it to be sent on to the intended recipient. That issue arose because the First 2004 Bill would have extended the definition of interception to include viewing and reading.
186. While the AFP and other employers may have a legitimate need to be able to control/prevent spam etc being received by all their staff, that is not a justification for removing all pre-existing protections.
187. There is a vast difference between allowing employers to manage their own internal communications systems and allowing telecommunications servicer providers' employees to have unfettered access to trawl through their customers' and other individuals' communications during passage (or at any other time) without the customer's knowledge and permission.
188. EFA submits that the TI Act should be amended to restore the pre-existing restrictions on access/interception by telecommunications service provider employees.
189. The matter of access by employers/in the workplace is addressed in the following section.
8.5 Regulation of Access by Employers / in the Workplace
190. As mentioned in the previous section, last year the AFP raised the issue that extending the definition of interception to include "reading" and "viewing" would prohibit the AFP's IT staff from reading email suspected of containing viruses etc that arrives on the AFP's own mail server.
191. EFA agrees that employers should not be prohibited from using human review to manage the security of their own internal systems/networks.
192. The AFP also suggested in their March 2004 submission[68] to the Senate Legislation Committee that an appropriate balance in relation to employers' legitimate business needs and privacy may be achieved through amendments along the lines of the U.K. Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000[69].
193. We consider amendments along similar lines would be a vastly more appropriate means of dealing with the problem than the current situation arising from the enactment of the TIA(SC) Act.
194. We also note that the U.K. Department of Trade and Industry conducted a public consultation exercise on draft regulations and subsequently published a Lawful Business Practice Regulations - Response To Consultation[70] paper which sets out the main issues raised during the consultation and the steps taken to address the respondents' concerns.
9. "Highly Transitory" Communications
195. EFA remains concerned that there is ambiguity and resultant lack of clarity between the TI Act and the Surveillance Devices Act 2004[71]. We believe this issue should be addressed and legislative amendments made so that the law is clear to both law enforcement agencies and users of the telecommunications system.
196. Presently it is unclear whether, for example, when an individual is engaged in a "live" text based chat session (e.g. using Internet Relay Chat), whether law enforcement agencies are required to obtain an interception warrant or a data surveillance device warrant in order to lawfully intercept/obtain such communications while they are occurring. More detailed information is available in EFA's submission[72] to the Inquiry into the Provisions of the Surveillance Devices Bill (No. 1) 2004 conducted by Senate Legal & Constitutional Legislation Committee.
197. The subsequent Committee Report[73] stated:
"3.49 The Committee takes the view that ambiguity in the application of this kind of legislation has the potential - however unintentional - to give rise to use of powers which would be proscribed under one statute but permitted under another, as in the example given by EFA. Accordingly, the Committee makes the following recommendation:
Recommendation 3
3.50 The Committee recommends that the bill and the TI Act be amended to ensure that the circumstances in which similar kinds of surveillance devices are authorised, are clearly described, and that the limitations on their respective use are also clear."
198. However, Recommendation 3 was not taken up in the final Surveillance Devices Act.
199. It was stated in the House by Senator McClelland (ALP) on 24 June 2004[74] that:
"The opposition supports these amendments, which in some instances give effect to the bipartisan recommendations of that Senate committee and, in others, respond to requests by the state and territory governments for amendments to the bill, as outlined by the Attorney-General. Where the amendments do not pick up specifically the recommendations of the Senate committee, the opposition is satisfied from discussions with officials of the Attorney-General's Department that the concerns of the committee are being met in other ways that are appropriate."
200. EFA is of the opinion that if officials of the Attorney-General's Department claim concerns are being met in other ways, the detail of such other ways should be made available to the Parliament and the public before, or at the same time as, proposed legislation is introduced into Parliament. (The disagreement between the A-G's Department and the Australian Federal Police, in relation to the remote access provisions of s3L of the Crimes Act and the TI Act, is notable in relation to reliance on advice from a single government agency).
201. Furthermore, the lack of clarity cannot be addressed in any way other than by amendment to either the Surveillance Devices Act or the TI Act.
202. At core, the question is whether or not the communications are deemed (and by who other than a court which may or may not understand the technology) to be occurring on a sufficiently "highly transitory" basis to attract the protection of the TI Act.
10. Internet Browsing
203. We note that the Review Terms of Reference recognise that "while the concept of a communication 'passing over' is technology neutral, its application has become more difficult in the context of advanced telecommunications services such as email, Internet browsing, short messaging services and other evolving technologies" and that the review is to consider policy options for the regulation of access to telecommunications in relation to, among other things, Internet browsing.
204. During the period available to prepare this submission, we have not had sufficient time and resources to address the matter of Internet browsing in detail, nor to address more recently developed technologies.
205. We are, however, highly concerned about the current situation concerning access to Internet browsing logs and records. We understand that Section 282 of the Telec. Act has been used to obtain details of all web pages etc that Internet users visit, i.e. the URLs of web pages that a user has visited and/or files that have been downloaded over a period of time. It is not known whether certified, or un-certified, requests have been used in such instances. It appears highly unlikely that the Government or Parliament envisaged such use of either certified or un-certified requests because at the time the Telecommunications Bill 1996 was drafted few people had sufficient knowledge and understanding of the new technology of the Internet to be aware of the potential for such use of Section 282.
206. Use of Section 282 to obtain details of web pages visited is significantly more privacy invasive that its use to obtain telephone numbers to or from which calls were made. Telephone numbers do not provide any detail about the content of a communication. However, a URL of a web site does provide information about the content of the communication and also enables the person who has seized such information to access and read the content of the web page/s visited by another person.
207. EFA considers that information from Internet browsing logs and records should not be permitted to be disclosed by telecommunications service providers except in response to a warrant the same as, or substantially similar to, that referred to earlier herein in relation to stored communications.
11. Conclusion
208. The Telecommunications (Interception) Act 1979 ("TI Act") requires amendment in order to achieve its primary objective of protecting the privacy of individuals who use the Australian telecommunications system, particularly in relation to the privacy of individuals who use new telecommunications technologies such as email, SMS and voice mail to communicate.
209. When the TI Act was originally drafted more than two decades ago it was not contemplated that communications would be stored either temporarily during passage, or remain stored subsequently, on telecommunications service providers' equipment, as such technology did not exist. However since that time, most of the new telecommunications technology developed (especially with regard to the Internet) has either required or allowed the temporary storage of communications.
210. These new telecommunications technologies have demonstrated that a new policy approach to protecting telecommunications users' privacy is now necessary.
211. We remain firmly of the view that access to communications that are temporarily delayed and stored during passage should not be permitted unless strong safeguards and controls against misuse are legislatively in place. Currently access is permitted but such safeguards and controls do not exist.
212. In addition, the covert surveillance nature of search/seizure of individuals' communications (whether in transit or not) at telecommunications service providers' premises is vastly more open to misuse and abuse than execution of a search warrant at an individual's own premises. Accordingly use of "some other form of lawful authority, such as a search warrant" (something other than an interception warrant) at telecommunications service providers' premises to access content of communications should not be permitted unless markedly more appropriate safeguards and controls are put in place than currently exist.
213. We are therefore of the view that all communications that are being, or have been, carried over a telecommunications system should be afforded protection of the TI Act while they remain stored on a telecommunications service provider's equipment.
214. A new type of warrant (e.g. a "stored communications warrant" as outlined in this submission) should be created for the specific purpose of authorising access to communications stored on a telecommunications service provider's equipment. Appropriate provisions regulating issue and use of a new warrant and related use and disclosure of seized communications should be inserted into the TI Act and access under authority of such a warrant made an exception to the prohibition on interception.
215. We consider such a policy approach is the only means of providing certainty in relation to means of lawful access by government agencies and appropriate protection for the privacy of individuals who use the telecommunications system by way of new telecommunications technologies.
References
1. Attorney General's Department, Review of the Regulation of Access to Communications under the Telecommunications (Interception) Act 1979, 2005
<http://www.ag.gov.au/agd/www/Securitylawhome.nsf/AllDocs/ 8EE81078AD694167CA256FC800147E87?OpenDocument>
2. Telecommunications (Interception) Act 1979
<http://www.austlii.edu.au/au/legis/cth/consol_act/ta1979350/>
3. Attorney-General's Department, Telecommunications (Interception) Act 1979 - Report for the year ending 30 June 2004, Section 2.2, 31 March 2005
<http://www.ag.gov.au/agd/WWW/agdhome.nsf/Page/ RWP3BD452E345D42468CA256FD5001672B8>
4. Australian Federal Police, Submission No. 7 to the Inquiry into the Telecommunications (Interception) Amendment Bill 2004, March 2004
<http://www.aph.gov.au/senate/committee/legcon_ctte/completed_inquiries/ 2002-04/tel_intercept04/submissions/sub7.doc>
5. Australian Securities and Investment Commission, Submission to the Inquiry into the provisions of the Telecommunications (Interception) Amendment (Stored Communications) Bill 2004, 28 June 2004
<http://www.aph.gov.au/senate/committee/legcon_ctte/completed_inquiries/ 2002-04/ti_stored_data/submissions/sub04.pdf>
6. See note 5.
7. U.K. Regulation of Investigatory Powers Act 2000
<http://www.legislation.hmso.gov.uk/acts/acts2000/20000023.htm>
8.
N.Z. Crimes Act 1961, Part 9A - Crimes Against Personal Privacy (as amended by the Crimes Amendment Act 2003)
<http://www.legislation.govt.nz/browse_vw.asp?content-set=pal_statutes>
9. Telstra, Submission to the Inquiry into the provisions of the Telecommunications (Interception) Amendment (Stored Communications) Bill 2004, 29 June 2004
<http://www.aph.gov.au/senate/committee/legcon_ctte/completed_inquiries/ 2002-04/TI_stored_data/submissions/sub10.pdf>
10.
Senate Legal & Constitutional Legislation Committee, Inquiry into the Security Legislation Amendment (Terrorism) Bill 2002 [No. 2] and Related Bills (including the Telecommunications Interception Legislation Amendment Bill 2002), Commitee Hansard, 19 April 2002
<http://www.aph.gov.au/hansard/senate/commttee/s5472.pdf>
11. Telephone tapping by the New South Wales Police, Published in:
Wayward governance : illegality and its control in the public sector, P N Grabosky, Australian Institute of Criminology, 1989, ISBN 0 642 14605 5, (Australian studies in law, crime and justice series); pp. 47-65
<http://www.aic.gov.au/publications/lcj/wayward/ch3.html>
12. Joint Select Committee on Telecommunications Interception, House Hansard, 4 June 1986
<http://parlinfoweb.aph.gov.au/piweb/translatewipilink.ASPX?Folder= HANSARDR&Criteria=DOC_DATE:1986-06-04;SEQ_NUM:93;>
13. Telecommunications (Interception) Amendment Bill 1987, Second Reading, The Hon L.F. Bowen - Attorney-General, House Hansard, 30 April 1987
<http://parlinfoweb.aph.gov.au/piweb/translatewipilink.ASPX?Folder= HANSARDR&Criteria=DOC_DATE:1987-04-30;SEQ_NUM:86;>
14. Attorney General's Department, Submission No. 6a to the Inquiry into the Telecommunications (Interception) Amendment Bill 2004, 19 March 2004
<http://www.aph.gov.au/senate/committee/legcon_ctte/completed_inquiries/ 2002-04/tel_intercept04/submissions/sub6a.pdf>
15. Crimes Act 1914 (Cth) subsection 3LB
<http://www.austlii.edu.au/au/legis/cth/consol_act/ca191482/s3lb.html>
16. Bruno Grollo v Michael John Palmer, Commissioner of the Australian Federal Police and Others F.C. 95/032, 21 September 1995
<http://www.austlii.edu.au/cgi-bin/disp.pl/au/cases/cth/high_ct/unrep222.html>
17.
Lost your email? You should've paid more, says ISP, Sam Varghese, The Age, 12 April 2005
<http://theage.com.au/articles/2005/04/12/1113251611481.html>
Campaigner says many Telstra customers interested in class action, Sam Varghese, The Age, 21 October 2003
<http://theage.com.au/articles/2003/10/21/1066631405972.html>
Email wipeout hits Optus users, Rachel Lebihan, ZDNet Australia, 03 October 2001
<http://www.zdnet.com.au/news/communications/ 0,2000061791,20260878,00.htm>
18. Senate Standing Committee for the Scrutiny of Bills, Report on the Inquiry into Entry and Search Provisions in Commonwealth Legislation, 6 April 2000
<http://www.aph.gov.au/senate/committee/scrutiny/bills/2000/b04.pdf>
19. Government Response to the Senate Standing Committee for the Scrutiny of Bills - Fourth Report of 2000: Entry and Search Provisions in Commonwealth Legislation, August 2003.
<http://www.aph.gov.au/senate/committee/scrutiny/bills/2000/ Govt_Response_Final.pdf>
20. Senate Standing Committee for the Scrutiny of Bills, Reference: Entry, search and seizure provisions in Commonwealth legislation, Committee Hansard, 11 March 2005
<http://www.aph.gov.au/hansard/senate/commttee/s8120.pdf>
21. Australian Federal Police, quoted in Senate Standing Committee for the Scrutiny of Bills 2000 Report on the Inquiry into Entry and Search Provisions in Commonwealth Legislation. See note 18.
22. Carmody v Mackellar [1997] 839 FCA; (1997) 76 FCR 115, 30 July 1997
<http://www.austlii.edu.au/cgi-bin/disp.pl/au/cases/cth/federal_ct/1997/839.html>
23. Discussed in Kennedy v Baker [2004] FCA 562; (2004) 135 FCR 520, 6 May 2004
<http://www.austlii.edu.au/au/cases/cth/federal_ct/2004/562.html>
24. Trade Practices Legislation Amendment Bill (No. 1) 2005
<http://parlinfoweb.aph.gov.au/piweb/browse.aspx?path=Legislation%20%3E%20Current
%20Bills%20by%20Title%20%3E%20Trade%20Practices%20Legislation%20Amendment%20Bill%20
(No.%201)%202005>
25. Senate Legal & Constitutional Legislation Committee, Report on Inquiry into the Telecommunications (Interception) Amendment (Stored Communications) Bill 2004, July 2004
<http://www.aph.gov.au/senate/committee/legcon_ctte/TI_stored_data/ report/report.pdf>
26. Kennedy v Baker [2004] FCA 562; (2004) 135 FCR 520, 6 May 2004
<http://www.austlii.edu.au/au/cases/cth/federal_ct/2004/562.html>
27.
Attorney-General, Upgrading Australia's Counter-terrorism Capabilities, Media Release, 18 December 2001
<http://www.asio.gov.au/Media/Contents/counter-terrorism%20capabilities.htm>
28. See note 24.
29. Crimes Act 1914 (Cth) subsection 3LB
<http://www.austlii.edu.au/au/legis/cth/consol_act/ca191482/s3lb.html>
30. Crimes Act 1914 (Cth) subsection 3L(1)
<http://www.austlii.edu.au/au/legis/cth/consol_act/ca191482/s3l.html>
31. Telecommunications Act 1997
<http://scaleplus.law.gov.au/html/pasteact/2/3021/top.htm>
32. Telecommunications Act 1997 Section 280(1)(b)
<http://www.austlii.edu.au/au/legis/cth/consol_act/ta1997214/s280.html>
33. Telecommunications Act 1997 Sections 282(1) and (2)
<http://www.austlii.edu.au/au/legis/cth/consol_act/ta1997214/s282.html>
34. Australian Communications Authority, Telecommunications and Law Enforcement Manual
<http://www.aca.gov.au/aca_home/licensing/radcomm/ about_radcomms_licensing/leac.pdf>
35. See note 25.
36. Australian Postal Corporation Act 1989
<http://www.austlii.edu.au/au/legis/cth/consol_act/apca1989337/>
37. Australian Postal Corporation Act 1989, Section 90G
<http://www.austlii.edu.au/au/legis/cth/consol_act/apca1989337/s90j.html>
38. See note 31.
39. Telecommunications Act 1997 Sections 282(3), (4) and (5)
<http://www.austlii.edu.au/au/legis/cth/consol_act/ta1997214/s282.html>
40. Telecommunications Act 1997 Sections 282(1) and (2)
<http://www.austlii.edu.au/au/legis/cth/consol_act/ta1997214/s282.html>
41. Attorney-General's Department, Report: Telecommunications Interception Policy Review, 1999
<http://www.law.gov.au/agd/Department/Publications/publications/ teleintreview/teleintreview.html>
42. Attorney-General's Department, Report: Telecommunications Interception Policy Review, Section 4.3 - Access to stored data
<http://www.law.gov.au/agd/Department/Publications/publications/ teleintreview/teleintreview2.html#data>
43. Australian Communications Authority, Replaced and removed industry codes
<http://internet.aca.gov.au/ACAINTER.65636:STANDARD::pp=DIR3_14,pc= PC_2132>
44. Australian Communications Authority, Internet Service Providers and Law Enforcement and National Security Fact Sheet, November 2000 (accessed 27 April 2005)
<http://www.aca.gov.au/consumer_info/fact_sheets/industry_fact_sheets/ fsi13.pdf>
45. Australian Communications Authority, Annual Report 2003-2004, Appendix 9: Disclosures of Information
<https://www.aca.gov.au/aca_home/publications/reports/annual/0304/ar_app-09.htm>
46. See note 36.
47. Australian Postal Corporation Act 1989 s90LF
<http://www.austlii.edu.au/au/legis/cth/consol_act/apca1989337/s90lf.html>
48. Australian Postal Corporation Act 1989 s90LE
<http://www.austlii.edu.au/au/legis/cth/consol_act/apca1989337/s90le.html>
49. See note 25.
50. Australian Communications Authority Act 1997, Section 50(2)(g)
<http://scaleplus.law.gov.au/html/pasteact/2/3016/0/PA000630.htm>
51. See note 45.
52. Australian Communications Authority, Annual Report 2002-03, Chapter 11.
<http://www.aca.gov.au/aca_home/publications/reports/reports/performance/ 2002-03/chap11.pdf>
53. Office of the Federal Privacy Commissioner, Senate Legal and Constitutional Legislation Committee, Budget Estimates, Hansard, 10 February 2003
<http://www.aph.gov.au/hansard/senate/commttee/s6143.pdf>
54. Attorney-General's Department, Guide To Framing Commonwealth Offences, Civil Penalties And Enforcement Powers
<http://www.ag.gov.au/agd/www/Agdhome.nsf/ 0/6F19B1D7FCBBF6C3CA256E5F00017937?OpenDocument>
55. See note 4.
56. Barrett Report on the Review of the Long Term Cost Effectiveness of Telecommunications Interception, quoted in Report By The [N.Z.] Privacy Commissioner To The Minister Of Justice On Parts V And Viii Of The Harassment And Criminal Associations Bill (Interception Of Private Communications)
<http://www.privacy.org.nz/people/intercpt.html>
57. Telecommunications (Interception) Amendment Bill 1994 [1995]: Second Reading, House Hansard, 01 December, 1995
<http://parlinfoweb.aph.gov.au/piweb/translatewipilink.ASPX?Folder= HANSARDR&Criteria=DOC_DATE:1995-12-01;SEQ_NUM:8>
58. See note 18.
59. Queensland Police Powers and Responsibilities Act 1997, Section 159
<http://www.austlii.edu.au/au/legis/qld/consol_act/ppara2000365/s159.html>
60. Australian Federal Police, Submission No. 7a to the Inquiry into the Telecommunications (Interception) Amendment Bill 2004, 23 March 2004
<http://www.aph.gov.au/senate/committee/legcon_ctte/completed_inquiries/ 2002-04/tel_intercept04/submissions/sub7a.doc>
61. For example, see Attorney-General's Department evidence in Senate Legal & Constitutional Legislation Committee Hansard, Inquiry into the Security Legislation Amendment (Terrorism) Bill 2002 [No. 2] and Related Bills (including the Telecommunications Interception Legislation Amendment Bill 2002), 19 April 2002
<http://www.aph.gov.au/hansard/senate/commttee/s5472.pdf>
62. Explanatory Notes to U.K. Regulation of Investigatory Powers Act 2000
<http://www.hmso.gov.uk/acts/en2000/2000en23.htm>
63. See note 7.
64. The U.K. Police and Criminal Evidence Act 1984 ("PACE"), and other U.K. legislation originally enacted that long ago, have not yet been made available on an official UK government site. Relevant extracts and information are available at:
- UK Law Online, s8, s9 and Schedule 1 of Police and Criminal Evidence Act 1984
<http://www.leeds.ac.uk/law/hamlyn/searchp.htm>
- 11 King's Bench Walk Chambers, Police Powers Of Search And Seizure by John Dryden
<http://www.11kbw.co.uk/html/articles/policepowers.html>
65. See note 60.
66. See note 54.
67. Senate Legal and Constitutional Legislation Committee, Report on the Telecommunications (Interception) Amendment Bill 1995
<http://www.aph.gov.au/Senate/committee/history/legcon_ctte/telintercept/ >
68. See note 60.
69. U.K. Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000
<http://www.hmso.gov.uk/si/si2000/20002699.htm>
70. U.K. Lawful Business Practice Regulations - Response To Consultation
<http://www3.dti.gov.uk/industries/ecommunications/ lawful_business_practice_regulations__response_to_consultation.html>
71. Surveillance Devices Act 2004
<http://www.comlaw.gov.au/ComLaw/Management.nsf/current/ bytitle/8739FA3E9BDD18BDCA256F72002366D4?OpenDocument>
72. EFA submission to the Inquiry into the Provisions of the Surveillance Devices Bill 2004, 18 May 2004
<http://www.efa.org.au/Publish/efasubm-slclc-sdbill2004.html>
73. Senate Legal and Constitutional Legislation Committee, Report on the Surveillance Devices Bill 2004, 27 May 2004
<http://www.aph.gov.au/senate/committee/legcon_ctte/surveillance/report.pdf>
74. House Hansard, Speech by Senator R McClelland, 24 June 2004
<http://parlinfoweb.aph.gov.au/piweb/view_document.aspx?ID=924833&TABLE=HANSARDR>
About EFA
Electronic Frontiers Australia Inc. ("EFA") is a non-profit national organisation representing Internet users concerned with on-line rights and freedoms. EFA was established in January 1994 and incorporated under the Associations Incorporation Act (S.A.) in May 1994.
EFA is independent of government and commerce, and is funded by membership subscriptions and donations from individuals and organisations with an altruistic interest in promoting online civil liberties. EFA members and supporters come from all parts of Australia and from diverse backgrounds.
Our major objectives are to protect and promote the civil liberties of users of computer based communications systems (such as the Internet) and of those affected by their use and to educate the community at large about the social, political and civil liberties issues involved in the use of computer based communications systems.
EFA policy formulation, decision making and oversight of organisational activities are the responsibility of the EFA Board of Management. The elected Board Members act in a voluntary capacity; they are not remunerated for time spent on EFA activities. The role of Executive Director was established in 1999 and reports to the Board.
EFA has long been an advocate for the privacy rights of users of the Internet and other telecommunications and computer based communication systems. EFA's Executive Director was an invited member of the Federal Privacy Commissioner's National Privacy Principles Guidelines Reference Group and the Research Reference Committee (2001) and the Privacy Consultative Group (2004-2005). EFA participated in NOIE's Privacy Impact Assessment Consultative Group relating to the development of a Commonwealth Government Authentication Framework (2003), Centrelink's Voice Authentication Initiative Privacy Impact Assessment Consultative Group (2004), the ENUM Privacy and Security Working Group convened by the Australian Communications Authority ("ACA") (2003-2005), and the ACA's Consumer Consultative Forum meeting (April 2005). EFA has presented written and oral testimony to Federal Parliamentary Committee and government agency inquiries into privacy related matters, including amendments to the Privacy Act 1988 to cover the private sector, telecommunications interception laws, cybercrime, spam, etc.