Tuesday, 23 August 2011
Cybercrime Legislation Amendment Bill 2011; Second Reading
Debate resumed on the motion:
That this bill be now read a second time.
I rise to talk about the Cybercrime Legislation Amendment Bill 2011. The coalition broadly support the purpose of this bill, which is to require carriers and carriage service providers to preserve telecommunications data for specific persons when requested to do so by domestic agencies or by the Australian Federal Police on behalf of foreign countries.
In Australia, 'cybercrime' has a narrow statutory meaning, as used in the Cybercrime Act 2001, which details offences against computer data and systems. However, a broader meaning is given to 'cybercrime' at an international level. In the Council of Europe's Convention on Cybercrime, 'cybercrime' is used as an umbrella term to refer to a range of criminal activities, including offences against computer data and systems, computer related offences, content offences and copyright offences.
Australians have been quick to adopt the internet in their lives and in their businesses. For many Australians, it is an essential part of our daily lives for communicating with family and friends, for studying, shopping, paying bills and for doing myriad other things that the internet has enabled. Similarly, businesses embrace the internet and other information technology to improve efficiency and quality of service, and to gain access to new markets. Regrettably, with its extensive use the internet has also created new prospects for criminal activity. Criminals seek to access our personal and corporate secrets, steal our resources and intimidate internet related businesses. Additionally, the global community continues to experience an increase in the scale, sophistication and penetration of cybercrime.
As the extent and the importance of electronic information have increased, so too have the efforts of criminals and other malicious actors who have now adopted the internet as a more convenient, anonymous and profitable method of conducting their criminal activities. I would like at this point to acknowledge the very good work that is done by our domestic agencies but in particular the Australian Federal Police, led by Assistant Commissioner Neil Gaughan, who do an outstanding job with the resources they have available and with the constant evolution of the cyber threat.
The bill itself seeks to make amendments necessary to facilitate Australia's accession to the Council of Europe Convention on Cybercrime. Several countries outside of Europe, including contemporary countries such as the United States and Canada, have done so also. The convention is the first international treaty on crimes committed either against or via computer networks. It deals predominantly with online fraud, online child exploitation and the unauthorised access, use or modification of data stored on computers. The convention's key objective is to pursue a common criminal policy by adopting consistent legislation and fostering international cooperation.
The bill's explanatory memorandum notes that the bill makes amendments to the Telecommunications Act 1997, the Telecommunications (Interception and Access) Act 1979, the Mutual Assistance in Criminal Matters Act 1987 and the Criminal Code Act 1995. The principal effect of the amendments is to require carriers and carriage service providers to preserve the stored communications and telecommunications data for specific persons when requested by certain domestic agencies or when requested by the AFP on behalf of certain foreign governments. Furthermore, the amendments: ensure that Australian agencies are able to obtain and disclose telecommunications data and stored communications for the purposes of a foreign investigation, provide extra territorial operation of certain offences in the Telecommunications (Interception and Access) Act, adopt the computer crime offences in the Criminal Code Act so that they have adequate scope, and create confidentiality requirements in relation to authorisations to disclose telecommunications data.
This bill has been the subject of two parliamentary inquiries—firstly, as is appropriate for any foreign treaty, by the Joint Standing Committee on Treaties. In April 2011, the committee were invited to consider Australia's proposed accession to the European convention and they made various comments on the issues as they saw them. The JSCOT report, while recommending that we do accede to the convention, identified a number of concerns that would arise from any enabling legislation. In addition to the loss of autonomy in future domestic law reform on the issue, there are concerns about privacy and jurisdiction. Submissions to the JSCOT review complained that the convention does not contain sufficiently robust privacy and civil liberties protections to offset the increased surveillance and information-sharing powers it implements. The powers governing the real-time collection and preservation of computer data were identified as being of particular concern to JSCOT. However, it was noted that powers for mass surveillance activity, such as wire-tapping or eavesdropping, are not enhanced by the legislation because the amendments are limited to telecommunications legislation only, which requires the issue of a warrant, and do not extend to surveillance devices. It should be noted that the acts sought to be amended by this bill contain their own fairly robust privacy safeguards and accountability mechanisms.
The proposed legislation may also have some effect on state and territory law, as some of them do not currently criminalise activity but will be bound by amendments to the cybercrime offences in the Criminal Code. I wish to particularly note the concerns of the Western Australian government as they were put to JSCOT. I quote their submission directly:
It is important to note that accession to the Convention should not create further bureaucracy which could act to stifle established links between agencies, particularly those formed at a State level. WA Police already has strong ties with a number of … service providers in attempting to tackle cyber crime. It would be detrimental if accession to the Convention were to erode these links.
Notably, there is a savings clause in the Criminal Code which provides that Commonwealth computer offences are not intended to limit or exclude the operation of any law in a state or territory. This clause will continue to apply. Despite these concerns, the bill has been welcomed by the information technology sector, including Telstra.
The second review that this bill has been subject to was conducted by the Joint Select Committee on Cyber-Safety. This happened after the bill was introduced to the House and was referred to that committee. The committee's review of the bill came up with 13 recommendations in its final report, which I note was only tabled last week, on 18 August. I particularly want to acknowledge the deputy chair of that committee, the member for Mitchell, who tabled the report, is very passionate about this area and has put a lot of effort into this inquiry. The committee made a number of detailed and technical recommendations which the coalition will consider. It is pretty unfortunate, we believe, that the Labor Party has rushed forward with this debate without having given those recommendations their due. The committee's report took the approach of ensuring that thresholds that apply to domestic investigation are applied equally to foreign countries seeking access to communication materials of Australians. One of the recommendations proposed that the Australian Federal Police guidelines on police-to-police cooperation in possible death penalty scenarios be tightened and should occur only in exceptional circumstances and only with the consent of the two relevant ministers—namely, the Attorney-General and the Minister for Home Affairs. The intended result of this proposal is that telecommunications data cannot be shared even at an early investigative stage in possible death penalty scenarios without the consent of both ministers. The member for Mitchell mentioned when he tabled a report late last week in the House that the committee also recommended that the police should be required to consider the factors, including the Mutual Assistance in Criminal Matters Act, before sharing telecommunications data retrieved during a domestic investigation with foreign counterparts.
The committee believed that this proposal would strengthen protection against data sharing in relation to a political offence as one example. They believe that the general privacy safeguard in proposed section 180F would be elaborated in more detail to provide greater guidance for the AFP. The coalition looks forward to considering these recommendations that have been put forward by the committee, and I again note the concern we have that the government has rushed this legislation into the House when the joint select committee has spent a lot of time looking at the legislation and has made 13 very sensible recommendations which clearly the government has not had a chance to consider properly.
The coalition supports the objectives of the bill and we are broadly satisfied that the safeguards it contains and other legislation within which it operates are effective. However, the government by bringing on this debate so soon after the tabling of the committee report has not excluded the possibility that further amendments may be required in the Senate. The coalition does, however, agree with the government that cybercrime poses a significant challenge for our law enforcement authorities and the criminal justice system as a whole.
The global and interconnected nature of the internet makes it easy for malicious actors to operate from abroad, especially from those countries where regulations and enforcement arrangements are weak. For this reason it is critical that laws designed to combat cyber threats are harmonised or at least compatible to allow for international cooperation between law enforcement agencies. With this objective in mind, the coalition will not be opposing this bill.
The main purpose of the Cybercrime Legislation Amendment Bill 2011 before the House today is to protect Australians from cybercrime by ensuring that our legislation meets the requirements to allow Australia to join the Council of Europe Convention on Cybercrime, also known as the convention. Only after Australian legislation is compliant can Australia accede to this convention. The bill amends the Telecommunications (Interceptions and Access) Act 1979, the Criminal Code Act 1995, the Mutual Assistance in Criminal Matters Act 1987 and the Telecommunications Act 1997. The convention, which came into force in July 2004, is the only binding international treaty on cybercrime. It serves both as a guide for nations developing comprehensive national legislation on cybercrime and as a framework for international cooperation between signatory countries.
The convention promotes an internationally coordinated approach to cybercrime by requiring countries to criminalise offences, including computer related offences such as forgery and fraud, content related offences such as child pornography, illegal access to computer systems, illegal interception and data interference and offences related to the infringement of copyright and other related rights. It also establishes procedures to make international investigations more efficient and helps facilitate international cooperation by helping authorities from one country to collect data in another country. By joining the convention, Australian agencies will have greater access to information stored overseas on the investigation of cybercrime and crimes committed using the internet.
There are a number of important protections in this bill. Agencies can only access information from a carrier with a relevant warrant. Warrants are only available to investigate serious crimes, which are those with a three-year imprisonment or more than a $19,800 fine for individuals or a $99,000 fine for non-individuals. Warrants will also be available for obtaining evidence relating to national security, espionage, terrorism, foreign interference and border integrity.
In each case a number of tests must be satisfied to obtain a warrant, such as balancing privacy considerations, determining that there are reasonable grounds to suspect that the carrier holds the relevant communications and that the information that would be obtained would likely assist in investigations. Agencies will be required to report on the number of preservation notices issued and to keep copies of those notices. Use of preservation powers by agencies will be subject to oversight by the Commonwealth Ombudsman and the Inspector-General of Intelligence and Security.
The proliferation of digital technology and the convergence of computing and communication devices have really transformed the way that we do business and the way that we socialise. But they have also provided a very wide range of risks to be exploited for criminal purposes, and the internet provides a very vast pool of potential victims for many online scams. Digital photography also allows large volumes of child exploitation material to be distributed globally. Digital media may be copied and shared, allowing widespread copyright infringement. In fact, many social networking sites are often used to menace and harass.
Our increasing dependence on computers and digital networks makes the technology itself a tempting target and gives rise to the very real potential for cyberterrorism and espionage. The sheer number of people online provides an unprecedented pool of potential offenders and victims. There is estimated to be approximately two billion people connected to the internet which, of course, is about 30 per cent of the world's population. In fact, the social networking site Facebook has 500 million active users alone.
Although not evenly spread, the uptake of technology continues to increase in most countries. In the developing world, for example, mobile cellular usage rates were estimated to be at 68 per cent by the end of 2010. Not surprisingly, of course, with this massive growth in the take-up of new technology cybercrime is the fastest-growing crime in the world, with millions of people affected every day. The most common form of cybercrime is, of course, online fraud which means any type of fraud scheme that uses email, websites, chat rooms or message boards to present fraudulent solicitations to prospective victims. Some forms of online fraud include internet banking fraud, scams and identity theft.
Internet banking fraud is fraud or theft committed using online technology to illegally remove money from or transfer it to a different bank account. One of the most common types of internet banking fraud is called 'phishing'. Phishing involves using a form of spam to fraudulently gain access to people's internet banking details. The term 'phishing' refers to the use of spam emails purporting to be from a bank. In this way criminals phish for legitimate bank customers' login information.
Criminals send out millions of these fraudulent emails to random email addresses in the hope of luring unsuspecting innocent persons into providing their personal banking details. Typically, a phishing email will ask an internet banking customer to follow a link to a fake banking website and to enter his or her personal banking details. If the link is followed the victim also downloads a malicious program which captures his or her keyboard strokes, including any typed information such as banking login details, and then sends them on to a third party. As well as targeting internet banking customers, phishing emails may target online auction sites or other online payment facilities. The AFP works with the financial sector, internet security industries and relevant organisations to investigate crimes associated with phishing emails.
Another type of internet fraud is the internet scam. Of course, we are all very familiar with these particular scams. A good example is the Nigerian letter scam, which asks the potential victim to forward their bank account details and a small sum of money in order that a larger sum of money held in Nigeria may be put into their account. We also have the lottery scam which involves fake notices of lottery wins. The winner just has to provide sensitive personal information such as their name, residential address, occupation and position. The scammer then asks the victim for a small fee to ensure that their million-dollar windfall can be deposited into their bank account. Criminals send out millions of these fraudulent spam emails to random email addresses in the hope of enticing someone to respond. Of course, another very serious type of cybercrime is that of identity theft, and that can occur in many ways—for example, having your entire identity assumed by another person to open bank accounts. While technological advances such as the internet have improved communications and the ease of doing business, the downside is that fraudsters and other criminals may have a lot more opportunities to obtain details about us and our personal lives. Victims of identity theft bear significant financial and emotional costs and often experience difficulties in regaining control of their identity and restoring their credit rating. In 2007, the Australian Bureau of Statistics conducted a survey on personal fraud. The findings indicated that around half a million Australians experienced some form of identity fraud in the 12 months preceding the survey.
One of the most insidious forms of cybercrime is, of course, child pornography. Protecting children, stopping the electronic distribution of child pornography and punishing those responsible form one of the most important applications of online policing. The success the AFP has had in prosecuting cybercrime can be seen in the very outstanding success of Operation Rescue, which concluded in March this year. Operation Rescue has seen almost 200 suspected child sex offenders arrested and 230 children rescued, following one of the biggest investigations of its kind so far by law enforcement agencies across the world.
The AFP has removed four children from harmful situations and arrested 31 suspected offenders since the operation commenced in 2007. The suspects were members of an online child abuse forum with thousands of members worldwide. The AFP began the investigation in August 2007. It was a three-year investigation, spanning the globe, which revealed several of the internet addresses coming from Australian internet service providers. In the words of AFP Manager Investigations of the High Tech Crime Operations, Grant Edwards:
With over 200 children removed from harm globally, we imagine an even larger number of children were safeguarded elsewhere in the world; however we will never know the total figure due to it being such a limitless crime.
Commander Edwards went on to say of Operation Rescue:
This demonstrates that global law enforcement is working together internationally to protect children wherever they may be in the world.
At the end of the day, our goal is simple: child safety.
We can certainly see how important it is for Australia's law enforcement agencies to work cooperatively with other agencies around the world to work together to help fight cybercrime. An increasing cyberthreat means that no nation alone can effectively overcome this problem and international cooperation is absolutely essential, and accession to the convention will demonstrate Australia's commitment to actively engage in international efforts to combat cybercrime and complement the Australian government's broader policy agenda on cybercrime and cybersafety and security.
Acceding to the Council of Europe Convention on Cybercrime will ensure that Australia's laws and arrangements are consistent with international best practice and it will really improve Australia's ability to engage internationally to combat cybercrime. This is a very, very important step to increasing the power of Australian investigators to effectively combat cybercrime and all the threats that it poses, by absolutely ensuring our increased international cooperation. I commend the bill to the House.
I rise to speak on the Cybercrime Legislation Amendment Bill 2011. In recent decades there has been an explosion in the use of telecommunication technologies in Australia. Each year, more and more of us use mobile phones and the internet. It is the way we interact in the 21st century. It is the way we shop, we bank and we communicate. Activities that used to take place face-to-face are now happening in cyberspace. Unfortunately the criminals have followed suit, creating a new category of crime—cybercrime. I am sure all members would hear many stories of cybercrime in their own electorates each year. From scams and fraud to the more serious incidents we see on the news, this is a growing area of concern and one which we need to deal with.
Countries around the world are coming to terms with these challenges. Given the nature of the internet and the nature of 21st century telecommunications, there has been a focus on dealing with these matters at a transnational level. A landmark agreement on dealing with this issue happened at the Council of Europe's Convention on Cybercrime—otherwise known as the Budapest Convention. It is the first international treaty on crimes committed either against or via computer networks. In particular the Budapest Convention deals with online fraud, child pornography and the unauthorised access, use or modification of data stored on computers.
The bill we are debating today facilitates Australia's accession to the Budapest Convention and in the process aims to strengthen Australia's cybercrime legislation and to harmonise our approach with international legislation, fostering a consistent, cooperative approach to tackling this issue. The bill makes amendments to the Telecommunications Act 1997, the Telecommunications (Interception and Access) Act 1979, the Mutual Assistance in Criminal Matters Act 1987 and the Criminal Code Act 1995. The main effects of these amendments are: to require carriers and carriage providers to preserve the stored communications and telecommunications data for specific persons when requested by certain domestic agencies or when requested by the Australian Federal Police on behalf of certain foreign countries; to ensure Australian agencies are able to obtain and disclose telecommunications data and stored communications for the purposes of foreign investigation; to provide for extraterritorial operation of certain offences in the Telecommunications (Interception and Access) Act; to amend the computer crime offences in the Criminal Code Act so that they have adequate scope; and to create confidentiality requirements in relation to the authorisations to disclose.
When this legislation was considered by the Joint Select Committee on Cyber Safety some concerns were raised by stakeholders. The main concern was the issue of privacy, with many submissions uneasy with the increased surveillance and information-sharing powers contained within the bill. These are important concerns to raise—particularly where this concerns the government, which does not have a good overall track record when it comes to these matters. The issue of mandatory internet filtering is still a concern for many people in my electorate of Swan, and the government's pursuit of this issue has put Australia on an 'enemies of the internet' watch list in the company of a number of totalitarian regimes—something to consider a day after a dictatorship in Libya was on the brink of collapse.
These submissions have forced the government to clarify a number of privacy matters, and I note that in the Attorney-General's statement of 18 August 2011 he stated:
Preservation notices can’t apply to an entire provider, but only to a person, phone number or email address. Moreover they only apply until a law enforcement agency obtains a warrant to formally access the information and the information is destroyed after 30 days if a warrant is not granted.
The bill does not require ongoing collection and retention of communications. We on this side of the House will be keeping a watchful eye on the Attorney-General to make sure he keeps his commitments.
I draw the attention of the House to a submission from the government of Western Australia that stated:
It is important to note that accession to the Convention should not create further bureaucracy which could act to stifle established links between agencies, particularly those formed at a State level. WA Police already has strong ties with … a number of service providers in attempting to tackle cybercrime. It would be detrimental if accession to the Convention were to erode these links.
I hope this is not another example from this government of a lack of consultation with WA, as was raised consistently in the debate on the Offshore Petroleum and Greenhouse Gas Storage Amendment (National Regulator) Bill 2011. The government must consult properly with WA and must ensure that this legislation does not undermine the ongoing work of the WA Police in tackling this crime. There is a clause in the Criminal Code which provides that Commonwealth computer offences are not intended to limit or exclude the operation of any law of a state or territory. However, it is up to the government of the day to make sure that this is effectively applied.
Despite flagging these points with the government in this chamber this evening, I will be supporting this legislation. The legislation recognises that criminal policy in this country needs to keep pace with the massive changes we have seen in telecommunications. We need the police to be able to request telecommunications data. Even what we might call traditional crime now often leaves traces on mobile phones and emails. The transnational nature of crime means that more than ever we need to cooperate with international agencies. I spoke about this in more detail during my speech on the Mutual Assistance in Criminal Matters Amendment (Registration of Foreign Proceeds of Crime Orders) Bill 2011 during the last parliamentary sitting. There may be some matters to clear up in the Senate, given the speed with which the government has brought the debate forward following the tabling of the Senate inquiry report. The joint select committee made no fewer than 13 recommendations including restrictions on police-to-police cooperation in possible death penalties scenarios without ministerial consent. The committee also recommended that the police should be required to consider the factors included in the mutual assistance act before sharing telecommunications data retrieved during a domestic investigation with foreign counterparts with a view to strengthening protection against data sharing in certain cases. These are areas that may be subject to further consideration in the other place.
However, we support the objectives of this bill and are broadly satisfied that the safeguards in it and other legislation with which it operates are effective. Beyond this legislation there is much we can all do to help tackle cybercrime. It is important to take cybersecurity as seriously, for example, as you would locking your car or your house. When I was at Sevenoaks school in my electorate of Swan in Cannington, I spoke to the students about how important it is for students to protect their personal information online. There were many who thought that by placing photos or personal information on sites such as Facebook they would be secure. Clearly, that is not the case, as we have seen. Cyberbullying is also a related problem, and I am a big supporter of the Carlisle Primary School in my electorate for their anti-cyberbullying stance, which I would encourage other schools to look at as well.
In conclusion, we all have a part to play in tackling cybercrime. I am glad that this is a duty we are taking seriously in the Australian parliament today and I congratulate the other members who have made a contribution to this debate. Thank you.
This is an area of law of great professional and personal interest to me. I have been analysing, commenting on and advising on the subject matter of this bill for many years, particularly with some of my former colleagues whom I wish to acknowledge today. The intersection between technology, electronic communications, law enforcement and privacy is one which I have witnessed grow and expand from something of a fringe area of law and policy into a household term which we now commonly understand to constitute cybercrime. Indeed, I remember over a decade ago firstly advising on the differences between the breaches of the prohibitions against telecommunications interception in the Commonwealth legislation as opposed to the criteria under the various state and territory listening devices legislation.
Probably the most complex advisory roles at that time concerned 'double jacking', or a third party listening in to conversations between a customer and a call centre operator, usually for quality assurance purposes. There have since been enormous developments in the law, corresponding with the evolution of data collection and storage, access to data, prospective access, access to metadata, as well as the needs of law enforcement agencies to exercise necessary powers to enforce the prohibitions in the Criminal Code Act dealing with crimes using communications devices. Equally, at a practical level, carriers, carriage service providers and carriage service intermediaries have also been required to maintain their compliance and cooperation standards with such agencies to implement these measures.
The term 'cybercrime' is usually defined by way of inclusion rather than exhaustively. It includes the use of a device by means of a network to commit offences against that network, as well as that network being utilised to commit an offence. The expanded use and accessibility of any number of devices—be they telephony exclusive, data or, as in most cases, platform and content neutral in nature—and the explosion in networks and the network of networks that comprise not only what we understand to be the internet but networks capable of storing clouds of data, unfortunately means that capacity for illegal activity utilising such networks is virtually ubiquitous.
It is also why, unfortunately, cybercrime is often associated with some of the most heinous offences imaginable. Part 10.6 of the Criminal Code Act 1995 lists those offences, including: using a telecommunications network with intention to commit a serious offence; using a carriage service to make a threat or a hoax threat; using a carriage service to menace, harass or cause offence; offences relating to use of carriage services for child pornography material or child abuse material; and offences relating to the use of a carriage service involving sexual activity with persons under 16, including using a carriage service to groom persons under 16 years of age or transmit indecent communication to persons under 16 years of age. There is also a series of computer offences listed in part 10.7 of the Criminal Code Act. It is unfortunate that the term 'cybercrime' is now commonly understood to be associated not only with threats to private and national infrastructure, which was the primary focus of the law around a decade ago, but as recently as over the weekend we saw on our television news footage an individual being charged with grooming offences in a sting conducted by police in Western Sydney. It is therefore not without careful consideration that successive governments have approached this complex area of policy and regulation within a prism of seeking maximum evidence gathering and enforcement opportunities. Equally, the successive amendments to the laws including an interception and access regime, which is almost unrecognisable compared to the now superseded primary 1979 act, have not gone without scrutiny from privacy advocates and, for practitioners and operators in the area, the implementation and the practicality of the law have been overriding issues.
I would like to turn to the international arrangements on the issue of cybercrime since the bill before us is intended to set the legislative framework to enable Australia's accession to the Council of Europe Convention on Cybercrime. As noted by the Attorney-General when introducing the bill in June this year, the intent of the convention is to provide systems to facilitate international cooperation between signatory countries as well as establishing procedures to increase the efficiency of law enforcement investigations in this area. This includes the ability of authorities to request the preservation of specific communications, assisting authorities of one country to collect data in another, the establishment of a 24/7 network to provide immediate assistance to investigators and facilitating the exchange of information on these matters between countries. Thus, as described in the convention, its main objective is to develop a common criminal policy to combat cybercrime through international cooperation.
The convention was considered earlier this year by the Joint Standing Committee on Treaties of which I am a member. Australia, as a non-member state, was invited to accede to the convention in September last year. In its report on the convention, the treaties committee noted that, in addition to the crimes referred to previously, cybercrime is a growing threat to consumers commensurate with the value and significance of electronic communications as the most efficient, dynamic and prolific global mechanism for social, professional and business communications.
Despite the range of prohibitions set out in current legislation and the existing powers of surveillance, search and obtaining by warrant available to law enforcement agencies, new threats from cybercrime continually emerge. Again, as the treaties committee noted in its report on the convention, consumers were not only the prime targets of such activity but the nature of networks which do not recognise geographic borders poses an immediate challenge stating:
The Committee notes advice that while Australia currently has specific laws targeting cyber crime—including such offences as unauthorised access, modification or impairment of computers, online child exploitation, copyright infringement and online fraud—law enforcers are increasingly challenged by the transnational and dynamic nature of this type of criminal activity.
In its report, the treaties committee noted concerns raised in its public hearing on the convention, including the potential impact of ratification on the integrity of Australia's regulation of computer communications in the context of the rights of individuals as well as privacy protections and on the capacity of the states and territories to raise and implement the necessary enforcement powers to support Australia's obligations.
As a parallel matter, which I have alluded to, there are the practical issues of implementations by operators. In the public hearing on this matter conducted by the treaties committee in March, I raised the following questions and issues:
For many years I acted for telco operators and particularly when I was in-house we would receive access requests for data going back many weeks or months. For SMSs, being store and forward technology, you would need a server the size of Western Australia to store all of this stuff for some of the periods that were required. I am sure this still goes on today, but we got access requests for communications that were weeks or even months old. The engineering that needed to be done to retrieve them was prohibitively expensive. I know it is revenue-neutral in the end because you have the interception agreements with the Commonwealth.
There was not a process that all of a sudden the carrier would get notified, ‘In a few weeks we are going to ask you for all this information.’ If this is going to work effectively I am concerned that in a very practical sense telcos would not have budgeted for this. I do not think any of them made submissions to the committee.
In response, the departmental witnesses reiterated that the measures proposed in the convention and the amendments themselves would be about preserving material already held by a carrier.
While I accept that advice, it would be remiss not to highlight some of the concerns that have been raised about these issues at a policy and procedural level. Firstly, the treaties committee rightly recognised the growing threat of cybercrime, but it also recorded its awareness that surveillance and data storage by law enforcement agencies does raise fears about privacy with potential threat to human rights and liberties. The committee noted that the convention contains certain guarantees for human rights protection and judicial review. Secondly, the committee placed on the record its concerns about lack of transparency in the review process for this important treaty. In its recommendation 14, in relation to the convention, it recommended the Attorney-General's report to the committee on any proposed amendments to Commonwealth, state and territory law in support of the convention.
Thirdly, I note concerns raised by organisations and privacy advocacy groups, including the Australian Privacy Foundation, as reported in the media and elsewhere, such as guidance on any legal restrictions regarding how data would be used by foreign nations once it was handed over by our domestic law enforcement agencies. I also note, as reported in the Sydney Morning Herald on Friday, the concern that Australia is, per capita, home to more data interception than almost anywhere else in the world. I am very familiar with this, particularly as I was involved in much of the research and commentary in this area that over the past few years fed into Social Implications of National Security, the forum and proceedings overseen by the Research Network for a Secure Australia and edited by Katina Michael and MG Michael.
Fourthly, I note that last Thursday the Joint Select Committee on Cyber-Safety tabled its report into the review of the bill. The report contained 13 recommendations intended to clarify and tighten conditions under which new powers of law enforcement agencies may be exercised. The committee recognised the importance of enabling Australian agencies to work with their international counterparts, particularly in relation to crimes against children. As stated by the chair, Senator Bilyk, these views were unanimous with the intention of allaying fears about the potential to misuse these powers and ensuring that they are actually available to fight cybercrime but also that the public has confidence in the scheme. One of the most important points made by the committee, and it goes again to the line of questioning which concerned me at the Joint Standing Committee on Treaties, was that this is not a data retention scheme and it does not allow foreign countries to demand access to private communications.
I would finally like to mention and acknowledge the thinking and rigour, both in a policy sense and from a practical implementation viewpoint, of former colleagues who involved me in what I maintain was commentary well ahead of its time on this issue. I want to particularly note the cost-benefit analysis undertaken by Rob Nicholls, on whom is now or very soon to be conferred the title of Dr Nicholls for his outstanding academic contributions to communications and broadcasting. One of Rob Nicholls's most compelling works was his contribution to the fourth workshop on the Social Implications of National Security, entitled 'For what it's worth: cost benefit analysis of the use of interception and access in Australia'. This was not a cost-benefit study of whether or not the interception and access regime in Australia should exist; rather, it was an analysis of the effectiveness of Australia's covert communications law enforcement arrangements with international benchmarking. It examined this on a qualitative basis, in terms of outcomes with privacy rights forgone, and in a quantitative sense—the monetary cost of the regime per conviction. This was able to be analysed thanks to the requirements to publish the Attorney-General's annual report into the interception and access operations that had been conducted in the previous year, 2009.
Rob Nicholls also noted that 2009 was the milestone 30th anniversary of the Telecommunications (Interception and Access) Act—the addition of 'access' in its title being added only a few years ago to accommodate the provisions for access to data rather than limited to real-time voice communications. His analysis included the following salient points. In the period from 1 July 2008 to 30 June 2009, there were more than 3½ thousand warrants for interception and access executed in Australia. By way of background, there is a strict prohibition against interception and access, except in cases of a warrant. The vast majority of these warrants were consistently in relation to drugs offences over the period 2006 to 2009. There was a reasonable level of effectiveness of interception warrants, with a consistently higher than 50 per cent rate of arrest per warrant. Compared to the United States over the period 1 January 2008 to 31 December 2009, the total number of warrants issued in Australia under the regime was slightly over two-thirds of the number in the United States. When one considers that the population of the United States is around 15 times that of Australia, the per capita discrepancy becomes stark. Canada's 2009 figure showed a warrant rate less than Australia's on a per capita basis, as did the United Kingdom.
I believe it would be remiss, not only in a policy sense but also in a legal sense, considering the strict communications-specific privacy requirements set out in part 13 of the Telecommunications Act and the strict prohibition against interception and access to communications without a warrant, not to consider the concerns of privacy advocates and individuals generally in this area. However, at the same time, we must recognise that Australia operates in a global economy, that we are connected to the world by a global network and that international cooperation is the only effective way to combat the incidence and impact of cybercrime for all Australian citizens. I therefore agree with the comments of the Attorney-General and the Minister for Home Affairs and Justice, as stated in their introductions to the bill, on three important points. The Attorney-General stated:
The increasing cyber threat means that no nation alone can effectively overcome this problem and international cooperation is essential.
The Minister for Home Affairs and Justice stated:
Australia must have appropriate arrangements domestically and internationally to be in the best possible position to fight cybercrime and cyber security threats.
He also said this bill:
… is an important step to increasing the powers of Australian investigators to effectively combat cybercrime with increased international cooperation.
I therefore commend the bill to the House.
I am very pleased to speak tonight on the Cybercrime Legislation Amendment Bill 2011. It amends the Telecommunications (Interception and Access) Act 1979 to ensure that Australian legislation is compliant with the Council of Europe Convention on Cybercrime requirements in order to facilitate Australia's accession to the convention.
Cybercrime—and cyberspace—is one of the great legal frontiers of our time. It has been reported that from 2000 to 2008 the internet expanded at an annual rate of 290 per cent on a global level and that there are currently an estimated 1.4 billion people on the Net. This is an absolutely phenomenal growth rate. The impact of the internet on society has been so very fast moving and far reaching—the uptake has been incredibly fast—that the legislation has failed to keep pace.
Cybercrime is borderless and potentially transnational. Offenders can in general target users in any country in the world, so international cooperation of law enforcement agencies is absolutely essential for international cybercrime investigations. The convention is the first international treaty on crimes committed either against or via computer networks. It deals with a number of areas, including fraud, child pornography and the unauthorised access, use or modification of data stored on computers. The convention's main objective is to pursue a common criminal policy by adopting consistent legislation and fostering international cooperation.
The Council of Europe Convention on Cybercrime came into force on 1 July 2004, and to date some 31 countries are party to the convention and a further 16 countries have signed the convention, including nonmembers such as Canada, Japan and South Africa. The bill targets online fraud, child pornography, copyright offences and security breaches, including offences against the confidentiality and integrity of the computer systems that bring Australia's communications laws into alignment with international conventions.
There are a number of effects of the amendments and they are: 'To require carriers and carriage service providers … to preserve the stored communications and telecommunications data for specific persons', particularly 'when requested by certain domestic agencies or when requested by the Australian Federal Police on behalf of certain foreign countries.' That means that the bill authorises the requirement for communications carriers to preserve that very important data for up to 90 days from customers who are suspected of having committed a cybercrime offence. By requiring companies to hold information—including emails, messages and internet usage data—agencies can prevent data on suspected cybercrimes from being destroyed during the investigation process. Additionally, this bill will amend the computer crime offences in the Criminal Code Act so that they have adequate scope to act. Cybercrime is on the rise, and we hear it every day in the press. Criminal activity is getting much more shrewd. It involves a use of computers or computer networks, and there are full-time people working in many countries. The level of criminal activity in this particular area is on the increase. The committee heard reports from the Uniting Church of Australia Synod of Victoria and Tasmania in support of Australia's accession to the convention, with particular regard to the need for greater international effort to combat child sexual abuse. This is a particularly horrific crime that we must do everything in our power to combat.
Another example of cybercrime involves using a computer connection and specifically developed software in order to steal identity, credit card numbers and other data that criminals can use to their advantage. Using illegally obtained data, the criminal can open accounts, charge a wide variety of goods and services and then abandon the accounts. This sometimes leaves the victim in a position of having to deal with huge debts of which they are unaware. Quite often I have constituents speaking to me about items appearing on their credit card from offshore regions.
In addition to this, data integrity and security is topical at the moment. There have been some very highly publicised attacks. Earlier this year Citigroup was IT breached by hackers and an online facility used by customers to manage their credit cards was infiltrated. Recently we also had Sony breached, allowing unauthorised access to the account information of millions of users. Other security breaches have also occurred over the last year in relation to RSA Security. All of these breaches expose companies and their customers to the risk of cybercrime. On a daily basis we hear about bank accounts being emptied. Constituents are forever contacting my office when they are being asked for their online bank account details. It still goes on quite frequently.
Submissions to the Joint Standing Committee on Treaties complained that the convention does not contain sufficiently robust privacy and civil liberties protection to offset the increased surveillance and information-sharing powers that it implements. The powers governing the real-time collection and preservation of computer data where identified has been of particular concern; however, powers for mass-surveillance activities such as wiretapping or eavesdropping are not enhanced by the legislation, because the amendments are limited to the telecommunication legislation, which requires the issue of a warrant and does not extend to surveillance devices. Disclosure of real-time data is limited to investigations relating to criminal offences punishable by at least three years in prison.
In addition, the acts sought to be amended by this bill contain their own fairly robust privacy safeguards and accountability mechanisms. We support these amendments, and Australia's accession will assist in the prevention of cybercrime.
I rise to speak in support of the Cybercrime Legislation Amendment Bill 2011. Acting Deputy Speaker Adams, I am sure that, as a Tasmanian, you, too, will be supportive of these endeavours. I speak as the father of a two year old and a six year old. These boys will see more innovation in education by the internet in the next 10 years than we have seen over the last 100 years, I would suggest. There will be great opportunities but also more challenges and more threats at home in the living room.
The internet has improved the lives of many through better communication, immediate access to banking—no queues and waiting on a Friday afternoon—great innovations in e-health and education to name but a few areas, but the internet has also provided a new platform for criminals to conduct their malicious activities. They can come creeping around your house at night not with a mask and a bag of loot like in a cartoon but with a keyboard, reaching from their den in Russia, Nigeria or even Sydney and coming into your lounge room via your computer. Traditional crimes like theft and fraud can now be committed in cyberspace. Crimes like fraud, hacking, money laundering, theft, cyberstalking, cyberbullying, identity theft, child sexual exploitation and child grooming are now, sadly, widespread on the internet. Where the academics who invented the internet saw opportunities to share knowledge, crooks see opportunities to share in the fruits of our labour. These are not just bits and bits. These can be particularly horrendous crimes that have a horrible impact on their victims. I saw today in the media that even in my home town of St George there were people involved in this in a horrible way.
It is acknowledged that these crimes are becoming more common, but their extent in Australia is difficult to quantify, as much of it goes unreported. As a member of the Joint Select Committee on Cyber-Safety I was pleased to be a part of some good work in developing the report into cybersafety, High-wire act: cyber-safety and the young. That was a great report to be involved with and it certainly opened my eyes to some of the problems that are out there with the internet. The committee investigated the risk to safety and privacy for young people on the internet but—and I know this personally—there are lessons for all Australians, whatever their age. I think I learnt more at MacGregor State School about the internet than I had in 10 years of using it—and that was from the grade 7 students.
We know, in no uncertain terms, that more needs to be done to protect people's safety online. Just today my office received an email from a constituent who is the victim of internet fraud and harassment, which he encountered after visiting internet dating sites. This is just a lonely guy seeking companionship or romance who is suddenly the target of criminal activities. The hook was baited because he was lonely and, suddenly, he was the target of criminals. I understand, and I have heard this from other speakers, that this experience is all too common. Of course my office has referred his case to the AFP, but there are many who do not make contact with their federal member of parliament.
This is a difficult area of law. The global and borderless scope of the internet makes law enforcement in cyberspace convoluted and complicated. The exponential development of new technology is also a major challenge for law enforcement agencies, who do great work but are often struggling to keep up with criminal technology and innovation. That is why international cooperation in fighting cybercrime is so very important. To this end, the Cybercrime Legislation Amendment Bill will facilitate Australia's accession to the Council of Europe's Convention on Cybercrime. This treaty has already been signed by 40 nations and is the only binding international treaty on cybercrime. It puts in place common procedures governments should follow to combat cybercrime. As a signatory, Australia will be better positioned to prevent, detect and prosecute crimes committed on the internet, as Australian law enforcement agencies will have greater access to information stored overseas in the investigation of cybercrimes.
Australia already complies with the majority of our obligations under the convention. However, this bill amends a number of acts to ensure we meet all requirements under the treaty, particularly those relating to the storage and exchange of information, which are such important areas. Firstly, it amends the Telecommunications (Interception and Access) Act 1979 to enable authorised agencies to request the preservation of specific communications that are stored by a carrier. Law enforcement agencies will be required to produce a warrant to access this information. They will only be available for serious offences, with a penalty of three years in prison or a fine of $19,800, and for obtaining intelligence related to espionage, terrorism, foreign interference and border security. A notice to preserve communications will be automatically revoked after 90 days for domestic purposes. Notices for foreign purposes will be valid for 180 days.
Secondly, this bill amends the Mutual Assistance in Criminal Matters Act 1987 to allow Australian law enforcement agencies to obtain and disclose communications for the purposes of a foreign investigation. There are some good checks and balances in this process. There are a number of mandatory and discretionary grounds for refusal of a mutual assistance request; for example, the Attorney-General may refuse a request if the assistance is not considered appropriate. The Attorney-General is also required to report to parliament annually on the number of stored communications warrants obtained for foreign purposes.
Further, the bill amends the Criminal Code Act 1995 to expand the application of Commonwealth computer offences under the treaty. Finally, it amends the Telecommunications Act 1997 to require service providers to assist law enforcement investigations and enable them to recover costs associated with that assistance. This bill will ensure Australia becomes a stronger part of global efforts to combat cybercrime. I am particularly proud of this legislation as my wife has worked in child protection for 20 years. Unfortunately child protection and child abuse are so often cultivated and commenced through the internet with people looking at sites that are inappropriate. This is one small step in nipping crimes in the bud before they escalate. It ensures stronger international cooperation and empowers Australia's crime-fighting agencies with the appropriate tools to investigate cybercrimes. I commend the bill to the House.
I rise to speak on Cybercrime Legislation Amendment Bill 2011. The amendments contained in the bill will ensure Australia is compliant with the Council of Europe Convention on Cybercrime requirements and introduce a variety of measures to help fight cybercrime at home and abroad. Cybercrime is a developing issue that has caused concern within the general public and the business community.
Looking back on events that have occurred over the last year, we have seen the websites of credit card giants Visa and MasterCard attacked after they stopped processing donations to WikiLeaks. This occurred after the public arrest of the organisation's founder, Julian Assange, weeks after the unauthorised disclosure of thousands of sensitive diplomatic documents. Other notable incidents of cybercrime have included the release of passwords from US military consultants, social media profiles being hacked and open invitations to non-existent gatherings being distributed. The parliamentary Joint Standing on Treaties define cybercrime broadly to encompass a variety of situations, referring to it as criminal activity that involves the 'use of computers or computer networks … or where use of a computer is integral to the offence'.
The Council of Europe Convention on Cybercrime has been signed by our major allies and trading partners, including the United States, Japan and the United Kingdom. It aims to develop a common criminal policy to combat cybercrime, in particular by adopting appropriate legislation and international cooperation. This is to occur through the criminalisation of offences such as forgery, fraud, child pornography, data interference and infringement of copyright, as well as facilitating international cooperation through better cyber related procedures and systems. It is the first international treaty that deals with crimes committed over the internet, such as computer related offences and computer accessed offences.
The bill before the House introduces a variety of amendments to the Telecommunications Act 1997, the Telecommunications (Interception and Access) Act 1979, the Criminal Code Act 1995 and the Mutual Assistance in Criminal Matters Act 1987. This will create a statutory method to preserve stored communications and allow for mutual assistance in fighting cybercrime with our allies and foreign law enforcement agencies. The bill proposes to meet the provisions of the convention and will introduce a preservation regime for stored communications—these being, communications that have not commenced or that have passed through the telecommunications system. These communications include emails, voicemails and SMSs. The amended act will allow domestic law enforcement agencies or foreign law enforcement agencies to request disclosure of these stored communications data from carriers and service providers for up to 90 days under a warrant.
In the circumstance of a request for mutual assistance on behalf of a foreign country, the Attorney-General will be able to authorise the Australian Federal Police to apply on behalf of that foreign country for a stored communications warrant in relation to an investigation or investigative proceedings that have commenced in that country for a serious foreign contravention. For the purposes of the bill, a serious foreign contravention is any offence which carries a penalty of three or more years imprisonment, life imprisonment or a fine of roughly $99,000. The bill also deals with legislative changes to the Commonwealth Criminal Code Act 1995—namely, extending the scope of computer related offences listed in the code. Many of the states and territories have already legislated for computer offences, and some submissions to the Joint Select Committee on Cyber-Safety expressed concern that there may be some conflict. Yet the saving provision of the Criminal Code Act will not limit or exclude the operation of the state and territory laws in the event of any inconsistency.
There have been concerns raised about privacy, especially confidentiality requirements in relation to the authorisations to disclose telecommunications data as handled in the bill. Submissions to the Joint Select Committee on Cyber-Safety expressed concern over a lack of sufficient privacy and civil liberty protections to counter the increased powers of surveillance and intelligence the bill implements. However, it should be noted that the bill will impose a broader test upon authorised officers in considering how much privacy of any person or persons would be likely to be interfered with by the disclosure or use of prospective or historical telecommunications data for a domestic or foreign investigation. The bill does not increase the scope of powers for mass surveillance, due to the bill's limitation to telecommunications legislation and the requirement for a warrant. Also, the relevant acts that are being amended maintain their own safeguards in relation to privacy and accountability.
We must not forget the inherent threat that cybercrime poses to both our local communities and the nation at large. In mid-June internet hackers obtained and distributed 62,000 worldwide email addresses and passwords, including some from Australian universities and government departments. But Australia is not the only target. This problem is global. For example, the United States Senate website was hacked as recently as June this year. In response to continued cyberattacks, the United States of America has recently declared that a serious cyberattack on the United States, if found to be perpetrated by another nation, could be construed as an act of war.
Here in Australia, a concern exists that cybercrime may threaten our businesses. With the vast majority of businesses now using computerised systems and the internet in the course of their daily activities, the risk of cybercrime has escalated dramatically. Businesses are already hurting, and they are at increasing risk of cyberattack because they are unable to meet the additional costs associated with high-level internet security. In my electorate of McPherson, there are roughly 15,400 businesses in a variety of industries, including tourism, manufacturing, construction, retail and education. The Australian Institute of Criminology noted in 2009 that 28 per cent of businesses with information technology experienced one or more computer security incidents over a 12-month period in 2006-07. If that statistic were to be applied to the number of businesses in my electorate, this would mean roughly 4,300 businesses, or about one in four businesses, would have been open to a computer security incident of some form.
Last year the former House Standing Committee on Communications produced the report Hackers, fraudsters and botnets: tackling the problem of cyber crime, in whichthe standing committee investigated the economic effect of cybercrime. The report noted:
All aspects of Australian society including Australian government, private businesses and home users, are victimised by cyber criminals.
The standing committee then went on to explain that—with the Australian economy expanding due to the digital economy, a decline in consumer confidence in online services, a loss of business reputation due to online incidents—the direct financial loss to businesses due to scams, frauds and extortion, or even a direct impact on critical infrastructure has the potential to substantially damage the Australian economy. The variety of ways cybercriminals can affect our digital economy is indeed a frightening reality which seems almost daunting when you consider the relative ease with which this occurs. We are now witnessing a new breed of criminals that steal from our computers using software. Unlike the stereotypical robberies that occur in a physical sense, these opportunists are able to commit these crimes at a distance, often in private locations. The internet is a place for opportunistic people. Quite often people are being taken advantage of by email scams, identity theft and the range of other offences I previously mentioned tonight. Our seniors can be some of the most vulnerable people in our community who fall victim to internet scammers. However, there are community groups who assist seniors in navigating their way around the internet and computer systems. I would like to commend the efforts of the Gold Coast Seniors OntheNet computer club, which assists seniors who are interested in learning about computer systems in addition to improving their knowledge of new technologies. Along with the organisation's entire management committee, Vice-President Judy Gamin, who is a constituent of mine and a former state member for Burleigh, does a great job with our seniors on the Gold Coast to ensure they engage as much as possible in an area that is often overlooked or considered too difficult and problematic.
Children are also at high risk of cybercrime and we must ensure they are kept safe from these emerging threats. While the emergence of Facebook, Twitter, Myspace and other social-networking sites have revolutionised the lives of many young people, they have also created many new challenges we must often overcome. The lives of children are often put on display for the world at large where scammers and predators are only an email, comment or tweet away from conversing with these most vulnerable members of our society. I commend the schools in my electorate for their continuing efforts to educate their students on the precautions they should take while surfing the net.
The challenges our national economy faces are constantly discussed in this place and at no time more so than now. It is important we look to giving businesses and private households the security of knowing that those who perpetrate cybercrimes, whether they be related to content being conveyed or stolen or to the integrity of the system or computer itself, will have a net, so to speak, closing in on them fast and surely.
Tonight I speak in favour of the Cybercrime Legislation Amendment Bill 2011. Earlier this year I had reason to speak on the identity theft provisions of the Law and Justice Legislation Amendment (Identity Crimes and Other Measures) Bill 2010  and in particular on the growing problem of the online theft of personal information. It is for similar reasons that I speak on this bill tonight. Indeed, I revealed earlier this year that I was a victim of online identity theft when I was planning a trip to a conference in the United States a couple of years ago. I was told by my travel agent—and I do not use this travel agent anymore—that I had to get a visa to go to the States. That surprised me at the time, given that I had worked in Foreign Affairs and was aware of the relationship we had with the US. I thought we had agreements in place so that for short stays we did not have to obtain visas. Being the person I am, I found a site purporting to provide me with such a visa. I applied, paid $60 and got an ID code to show the officials when I arrived at the fabulous Los Angeles airport. However, my initial instincts were correct and when I arrived in the US there was no need for the visa, so it was a completely spurious concept and a completely spurious visa. I was completely scammed and have not seen my money since.
On a less amusing note, late last year my father-in-law was the victim of identity theft after the death of my mother-in-law. He was in the midst of reconciling and closing down bank accounts and advising government agencies and community organisations of her death while at the same time trying to come to terms with the loss of the woman he had loved for more than 50 years. In his grief he thought the request for bank information was just one of the many administrative processes he had to go through at the time. There was a pile of paperwork and it was just another thing he had to do. He discovered too late that he had become a victim of identity crime. It was very traumatic for him and we spent a lot of time back-pedalling on a range of things to help him out. As I said, it happened at the worst possible time—just after his very beloved wife had died. Last month my husband, Chris, got a phone call from the bank saying that our credit cards had been skimmed and had subsequently been cancelled. Unfortunately, we had no choice in the matter. It is one thing to have the cards cancelled immediately, but then you have to wait to get the new cards and there are all the accounts you have attached to your credit card. You get nasty letters from people saying you have not paid a bill and you have to let them know that you are waiting for a new credit card and then have to notify them of the new details—and we both have so much spare time to do all that.
The reason I spoke on identity theft earlier this year is that it is an everyday problem. I relay these stories because I believe my family is not all that special; in fact it is quite the opposite. My story is all too common and sadly the loss of my $60 is very minor when compared to some of the crimes that occur online. This year we also heard of the breach of the Sony PlayStation Network and the theft of information. It has been confirmed that in all some 77 million users from across the globe had their information stolen by unknown criminals. It is also a sad fact that the online environment is proving to be very convenient for paedophiles and for the dissemination of child pornography. As an example, in March this year the Australian Federal Police cooperated with police from around the world to arrest nearly 200 suspected paedophiles and rescue 230 children—I do not even want to think where those children were—from Holland, Chile, Brazil, France, the United States, New Zealand and Australia.
It is abundantly clear that cybercrime does not confine itself to the niceties of international borders. If one thing can be said about the criminal elements of society, it is that they are nothing if not enterprising. We should not be surprised then that, like legitimate business, criminal syndicates and groups are taking advantage of the globalised world made possible by advances in technology. In March last year, for instance, New Scientist reported on a burgeoning service industry for the creation of malware, insidious software that infects computers to steal information, including credit information. The article revealed that for as little as $400 a person with little computer skill could purchase and use sophisticated malware for online fraud and theft.
Given the rise of this risk to our economy and our society we must react decisively and appropriately, because as Rafael Etges and Emma Sutcliffe stated in an article entitled 'An Overview of Transnational Organized Cyber Crime' for the InformationSecurity Journal, A Global Perspective:
Organized crime is successful where laws are confusing or lax, or law enforcement is not prepared or structured to fight back.
It is clear that if cybercrime is to be tackled we need effective, international cooperation. It is this kind of international cooperation that this legislation is designed to achieve.
This legislation will facilitate Australia's accession to the Council of Europe Convention on Cybercrime. This convention is the only binding international treaty on cybercrime and as such is the only global mechanism for cooperation on this important issue. The convention serves as a guide for nations to develop laws to combat cybercrime. It aims to combat this rising new criminal enterprise by harmonising laws amongst convention members, empowering agencies with the appropriate tools to investigate crimes and through these elements enable better international cooperation.
Schedule 1 of this bill amends the Telecommunication (Interception and Access) Act. While this act already contains most of the necessary powers, it has no formal arrangements around the preservation of information. The bill seeks to amend this act so that Australian law enforcement agencies can seek the preservation of communication stored on carriers' networks prior to a warrant being issued. This is necessary as it is currently standard business practice for many providers to routinely delete information after relatively short periods. This creates issues for law enforcement as information is often deleted before a warrant for the information can be issued. The amendment will fix this problem. It is important to note that law enforcement agencies will still require a warrant to access the information with the appropriate tests under that process. Warrants will only be available to investigate a serious contravention—that is, a crime with a penalty of three years imprisonment or a significant fine.
Schedule 2 of this bill is designed to facilitate international cooperation. It makes amendments to allow the AFP to assist foreign partners by accessing communications data on a police-to-police basis. This will allow foreign partners improved access to information here in Australia as well as allowing Australian law enforcement bodies greater access to information stored overseas. Again, there are some important safeguards on foreign requests for information. Section 8 of the Mutual Assistance in Criminal Matters Act already sets out a range of mandatory and discretionary grounds for the refusal of mutual assistance. The bill also includes a range of safeguards to govern how and when things can be provided to a foreign country, including how the privacy of the person is likely to be interfered with, the record-keeping requirements on agencies and carriers, and a requirement that the AFP report on the use of powers for foreign purposes in the same way that they report on their use for domestic purposes. Finally, schedule 3 makes amendments to the application of criminal offences. While many of Australia's relevant laws already comply with the terms of the convention, there are some gaps. This bill amends a scope of computer crime offences in part 10.7 of the Criminal Code Act to ensure full compliance with the convention.
This legislation is a timely and necessary reform to ensure that Australia can rely on international cooperation to protect the economy and the lives of Australians from cybercrime. Cybercrime is no longer the domain of spotty faced teenagers out for intellectual stimulation and easy thrills, if indeed it ever was. Cybercrime is being committed by sophisticated syndicates and groups who are intent on committing terrible crimes either for financial gain at the expense of ordinary people or for other more disturbing reasons that, quite frankly, the mind boggles to comprehend. Australia must respond appropriately to this new breed of crime and criminal, and this legislation enhances our ability to respond. I commend it to the House.
I also rise to support the Cybercrime Legislation Amendment Bill 2011 as proposed by the government, taking account of some of the recommendations of the Joint Select Committee on Cyber-Safety. As deputy chair of that committee I was privileged to be present during the inquiry into this piece of legislation and I want to endorse the recommendation of the House that we did inquire into it. When you are creating and amending law in the criminal space it is very important that the government take the time to ensure that it gets it right. In the recommendations that the committee put together, it has attempted to demonstrate to the Attorney-General and the government ways in which the bill can be improved to ensure that community expectations are met, and that it recognises the very sensitive nature of the material which the Cybercrime Legislation Amendment Bill is dealing with.
It is true that in the modern era the globalisation of communication technology has brought a lot of benefits, but it has also enabled transnational crime to flourish. It is a constant frustration of constituents, businesses and entities within Australia and around the world today that often crime is transnational. It has been elusive; it has been hard for agencies to track down, detect, identify, prosecute successfully and ensure that the crime is prevented. Hacking, the spread of malware, denial of service attacks on private corporations, attacks on the institution of government and attacks on the Australian government in recent times make up the modern face of cybercrime. Large-scale online fraud can net organised crime vast profits. We know of all the scams that occur on the internet today. But we are no longer dealing with those small-scale hackers; we are dealing with serious criminal elements using the internet and telecommunications to achieve their criminal ends. Of course, anytime you are amending the Telecommunications (Interception and Access) Act, especially to sign up to an international convention, which is what we are doing here—we are fulfilling our obligations to the Convention on Cybercrime, which Australia is now becoming a party to—it is important that you thoroughly examine the ramifications for ordinary Australian citizens. In doing so, the Joint Select Committee on Cyber-Safety did take time to analyse what the bill does and how the bill would operate in relation to fulfilling our obligations on the Convention on Cybercrime.
There were four main aspects to this bill. The first was to introduce a new mechanism for the preservation of communications to prevent the destruction of potential evidence until a warrant for access is obtained. The new preservation mechanism will be available to law enforcement agencies and to ASIO. The purpose of a preservation notice is to ensure that potential evidence is not destroyed. This it is a worthy objective. We do not want evidence of criminal activity destroyed; we want to ensure that it is preserved in this electronic communication format. It is a worthy intention of the bill. Access to the material by a stored communications warrant, which is available under the Telecommunications (Interception and Access) Act, is appropriate and there are the safeguards in relation to this material.
Second, the bill also requires the AFP to preserve communications data on behalf of a foreign country when requested to do so. This can be interpreted as controversial and indeed has raised several questions in members' minds in this place about the nature of that foreign access and the nature of that request. In a certain sense this does rely on the benign nature of our police forces and on their good intentions. That is why it is appropriate that parliament thoroughly scrutinise legislation in this regard and ensure that we have those appropriate safeguards. It is important to note here that there is no access to this material without a warrant and that the AFP can only apply for a warrant when the Attorney-General and the Minister for Home Affairs have agreed to a formal request for mutual assistance from the foreign country.
Thirdly, the bill allows for the AFP to share telecommunications data—that is, non-content data—with a foreign country without the need for a formal mutual assistance request. This may only occur where that data has already been obtained for a domestic investigation. It is intended to speed up international cooperation where perpetrators may also be operating overseas. The AFP can share that telecommunications data with a foreign country without formal mutual assistance request but only where that data has only been obtained for a domestic investigation. Again we see the way that this will actually work in practice.
Fourthly, the Ombudsman will have oversight of the preservation regime and the stored communication warrants obtained for a foreign country. The Inspector-General of Intelligence and Security will have oversight of ASIO's use of the preservation regime for intelligence purposes. The Ombudsman's role in this type of legislation is entirely appropriate and should be carefully monitored to ensure that all of the intelligence that is gathered and the telecommunications data that is stored is appropriately done so and in accordance with legislation and the parliament's intentions.
There have been several concerns in relation to this legislation. I want to say to those commentators and people out there who have expressed some concern that I do not have an issue with people expressing concern about legislation proposed by this House. It is appropriate. People ought to thoroughly scrutinise the activities of their parliament and what they seek to do. I am happy to say that from our investigations and the 13 recommendations that the Joint Select Committee on Cyber-Safety made, we are quite satisfied that the intentions and the provisions in this bill will be appropriate and will provide law enforcement agencies with the powers they need without seeking to expand the powers of those agencies massively. It is important to be clear that neither the convention nor the bills seeks to implement a general data retention scheme. Naturally, of course, the instinct of people concerned about digital liberty and the right of people to privacy online would be concerned about a general data retention scheme. There will be no general data retention scheme from the provisions of this legislation.
I have been the first to criticise the government on internet filtering and massive government intervention into the online space. I would be the first to stand in this place and say that if I believe there was mass surveillance of internet usage being proposed, I would certainly speak out about that. I have satisfied myself that this is an appropriate and targeted, focused piece of legislation that will enable our law enforcement agencies to do their job and allow Australia to cooperate with international agencies in a way that will not violate the rights of Australian citizens. The powers available under the bill and indeed the powers that already exist under the Telecommunications (Interception and Access) Act can only be activated where there are legitimate law enforcement requirements or, in the case of ASIO, legitimate security purposes. Quite importantly, no country can demand that communications traffic data be transferred to them, and I think that is entirely appropriate, considering the nature of different countries and regimes around the world. Not everybody has the benefit of living in a Western democratic society as we do.
There have been other untrue claims; for example, that countries such as China could obtain large volumes of communications data about dissidents or about so-called political crimes through people in China communicating with people in Australia. That is not the intention of this legislation, and I am certain that would not be accessed by an Australian Attorney-General or other agency in that regard.
Access to the content of the communications is provided under warrant only after a mutual assistance request has been agreed to by the Attorney-General. So again there is a dual safeguard of requiring a warrant and a mutual assistance request being agreed to by the Attorney-General of the day. While it is true that the bill does not limit the sharing of telecommunications data only to countries that are party to the convention, it also makes no change to the range of countries that police can provide police-to-police assistance to. While that may be concerning to some people—that it does not limit the sharing of this data to countries that are signatories to this convention; and certainly that is a cause for concern—I think, in the era we are in, that does not immediately raise a series of problems or issues that must be addressed by this legislation. It is of course something we would have to continue to monitor, as indeed we will be monitoring our international conventions and how this legislation will perform. In other words, police cooperation will happen on the same basis that it happens now. As I said before, we often rely on the benign nature of our police forces in Australia, their goodwill and their obedience to the law. There are some countries where that is not the case, where countries suffer from a police agency or force that is not so benign or as high quality as Australia's. Cooperation is still important for our agencies. That is something we will continue to monitor.
The bill does not increase ASIO's powers or allow ASIO to share communications with foreign counterparts either. So any commentary in relation to those concerns has been misstated.
The committee was fortunate to hear about 23 submissions and several witnesses on Monday, 1 August. We also had the opportunity to carry out an inspection of the Australian Federal Police high-tech crime operation facilities in Barton. I think all of us were sensitive to the expansion of covert policing powers and we were especially mindful of the powers that involve access to private communications. I think this legislation ensures that the proper standards and safeguards are met. The recommendations we made to the Attorney-General were realistic, modest and practical, in the main. We are happy that he has adopted some of the recommendations. I think perhaps others could have also been adopted, but that is no reason for us to change our position in relation to this legislation or indeed alter our position on this bill. The process of the committee scrutinising the legislation and ensuring that we have suggested improvements is a worthy one. We were able to satisfy ourselves about many of the assertions that have been around in public commentary about some of the provisions contained within this bill.
The general approach that we took, and which I think the government has adopted, was to ensure that thresholds that apply to domestic investigation were applied equally to foreign countries seeking access to communications material. I think that is no less than any Australian citizen would expect; that when we are signing an international convention those international agencies be required to meet the same standards as domestic agencies. We have also proposed that AFP guidelines on police-to-police cooperation in possible death penalty scenarios be tightened and should only occur in exceptional circumstances and with the consent of the relevant ministers. I think that the Attorney-General and the government took a positive approach in relation to that very tricky area of the operation of this legislation and this convention in relation to countries that have the death penalty. Considering Australia's formal and stated position on the death penalty, there was a constructive approach taken by members of the government and we have a constructive outcome with which I am satisfied that we will not be engaged in many situations where this will be a big concern. Of course, in some situations it may be possible that this will arise, but there will be mechanisms for the parliament and for Australians to satisfy themselves that this legislation is not in any way opposing Australia's position on the death penalty.
We have also made quite a valid suggestion that police be required to consider the range of factors set out in the mutual assistance act before sharing telecommunications data obtained during domestic investigations with a foreign counterpart. Some of those things that would strengthen some of the provisions of this bill that have not been adopted could also be considered as future amendments once the operation of these provisions becomes commonplace. This will lead to a general improvement in law enforcement and cooperation between international agencies in this space. I think the rights of Australians will be preserved, and of course the Privacy Act already applies. There was one minor concern in relation to carriers and telecommunication service providers and the retention of data. I want to make it clear that this legislation may require telecommunications providers to hold information. The telecommunications providers are subject to the Privacy Act and other acts of this place that would disallow them from using that information for any legitimate commercial or other purpose. It is entirely appropriate in an era where large telecommunications service providers have access to a lot of our information that those safeguards are also in place.
The committee that inquired into this bill was quite satisfied about its provisions. The coalition supports this legislation and legislation that enhances our ability to cooperate with international policing forces to better protect Australians and prosecute those people engaged in serious cyber and transnational crime.
It is nice to follow the member for Mitchell. I think he made a very positive contribution. He is a person who has, I understand, particularly in relation to this piece of legislation, taken the time to review it very much from the perspective of what is required for law enforcement in this country. I too rise to support the Cybercrime Legislation Amendment Bill 2011. This bill makes the necessary amendments for us to meet the Council of the Europe Convention on Cybercrime, which is really the only binding international treaty on cybercrime. As I understand it, there are 40 nations that are signatories to this part of the convention at the moment and, as I will come to later, having more countries subscribe to this convention reduces the window of opportunity for those criminals who seek to exploit cybercrime regardless of where it occurs.
The bill will make an overall improvement to Australia's cybercrime laws consequently protecting Australia's consumers, businesses and governments but most importantly individuals and of particular importance to some of us children. Cybercrime is a significant challenge to our law enforcement agencies and particularly to our criminal justice system. As I understand it, as advised by areas of the Australian Crime Commission, cybercrime is fast becoming one of the most profitable forms of crime in the world and in fact is surpassing in many instances the global drug trade. The Australian Crime Commission conservatively estimates that serious and organised crime in this country is costing Australia somewhere between $10 billion and $15 billion a year. That cost takes in a loss to business, a loss to tax revenues, expenditure on law enforcement and regulatory efforts and also the social and community impacts that criminal activity has on our community. Due to the nature of cybercrime, it is very hard to estimate the extent to which it is occurring at the moment in this country. We know it is present, but we certainly know it is a challenge to properly assess the cost it is having to the Australian community. It is clear from matters which are already being addressed by the Australian Federal Police and other agencies, including the Australian Crime Commission, that this is a crime which is certainly having a significant impact in Australia but is not necessarily originating in this country. One of the things about cybercrime is that sometimes the victims of the crime may not even know that they have been victims of, say, credit card fraud or, if they do, they might not discover it for some time. In some areas, particularly business and financial institutions, sometimes these things go unreported because of significant commercial embarrassment.
Globally, the interconnected nature of the internet makes it very easy for sophisticated criminals to operate from abroad, especially from those countries where there are, as I said at the start of my contribution, significant windows of opportunity, whether through lax regulation or lax law enforcement arrangements, that allow them the chance to press their trade on the global internet.
The European convention, through this bill, will assist the Australian police in detecting, preventing and prosecuting cybercrime. Our police should be assisted in every way possible in respect of this crime because of the rising cost that it has, not only in the global community but also here. We know that it is developing in our own community; we are not insulated from it at all. This bill will make an amendment to the Mutual Assistance in Criminal Matters Act 1987 to allow Australian law enforcement agencies to both obtain and disclose communications for the purpose of foreign investigations.
Not all that long ago, when I was overseas talking to various police jurisdictions, one of the things that was made clear to me was the fact that there needed to be a greater degree of cooperation among law enforcement agencies and, in turn, various judicial authorities in international countries to ensure that they can close down and effectively prosecute various crimes, particularly cybercrime. That is essentially the basis of the legislation before the House today. The bill will also improve Australian law enforcement agencies' efforts to effectively investigate criminal matters by improving the legal requirements for the preservation of stored communications data by particular carrier networks. At the moment, as I understand it, before a warrant can be produced some carriers can delete information and therefore ensure, unwittingly, I suppose, that any investigation goes cold before it even starts. This bill will also widen the scope of existing Commonwealth computer offences to fully meet the requirements of the international convention.
As I said, the growing force of globalisation as well as the increased development in technology are forcing countries like ours to constantly adapt their laws to ensure that they appropriately meet the current threats to individuals, businesses and the nation as a whole.
As we have heard from previous speakers, this bill is in accordance with the recommendations made by the report of the Joint Select Committee on Cyber-Safety. Those recommendations include training for our police forces on cybersafety issues. The report also recommended mandatory training for judicial officers and various judicial court staff to ensure that they are up to date with emerging technologies, particularly as they relate to cybercrime. The report confirms the serious criminal status of cybercrime and what exposure to this form of criminal activity holds for our nation. It is a simple fact that, the more our businesses and other enterprises go online, the more criminal organisations will go online. It is folly to think that criminals are just a bunch of crooks who try to make a profit by the easiest possible means, because the fact is that modern-day serious and organised crime is not conducted by a bunch of uneducated crooks but by people who use the best of technology to ply their trade. That trade can be in anything from drugs to illegal weapons to prostitution—or whatever they plan to make a profit out of. The point I am making is that we should view the way that those involved in serious and organised crime conduct their activities as being similar to the way that businesses conduct their activities. Certainly they are nefarious business activities, but people involved in serious and organised crime are businesspeople in the sense that they are in it to make a profit. In order to make a profit they are prepared to invest, and they invest very large sums in technology. They run their criminal operations internationally through cyber activity from, in effect, the safety of their own backyard, and this is increasingly occurring in this country.
I understand from the Australian Crime Commission that the big attraction of cyber based crime is that it is globally connected, borderless, largely anonymous, fast and low risk and that high levels of information—financial data, personal information and business information, much of which is tradeable—can be accessed using cyber based methods. That is precisely what modern-day cyber crime is about: maximising profits, as most businessmen try to do, with the lowest possible level of risk.
I am very fortunate to be the chairman of the Parliamentary Joint Committee on Law Enforcement, which has oversight of law enforcement—the Australian Crime Commission and the Australian Federal Police. The ACC's cyber intelligence unit has recently noted the exponential growth in the use by organised crime of computer technology to further its activities. The ability of police to extract intelligence from computers, mobile phones and other types of digital devices as evidence is becoming increasingly vital to law enforcement investigations. Criminals tend to embrace technology—they are fast adapters—and this is reflected in the increased volumes of electronic data seized as evidence in law enforcement operations. One investigation by the Australian Crime Commission into a serious and organised crime group yielded 45 computers, 79 mobile phones, more than 50 SIM cards and over 100 other pieces of digital evidence. This is significant due to the fact that the group in question had traditionally been a drug syndicate and had not previously been known to focus on higher forms of technology; yet, as this investigation made clear, they had since adapted new technology to further their criminal operations.
Criminals exploit the weaknesses in our technology and legislation and, indeed, the confusion that has been created by the global reach of the internet and its rapid expansion. They use all this to facilitate traditional crimes in a new and far more targeted way, and this has devastating impacts on victims. The most serious concern involves cases where traditional crimes are adapted to the online environment. The internet, in some cases, has allowed traditional criminals to reach new victims while maintaining their anonymity and evading detection by police and law enforcement. The point I am trying to make is that if criminals are able to adapt with technology we should not expect our police and law enforcement agencies to protect our communities with both hands tied behind their backs. We need to not only give them access to the technology but to really support them to ensure that they can do their job, which is to protect our community against people like this.
Particularly when we get to talking about issues of child sex offences, I think that brings it home to all of us who are parents or, in my case, grandparents that we need to ensure that our law enforcement authorities have the most up to date and most effective weapons, including regulatory support not only to disrupt and detect but to bring down people who perpetrate that type of activity on our families and our communities. With that, I commend the bill to the House.
I rise to support the Cybercrime Legislation Amendment Bill 2011, and in doing so offer support to our law enforcement agencies in their efforts to deal with cybercrime and very serious transnational cybercrime. The bill will make amendments to four acts: the Telecommunications Act 1997, the Telecommunications (Interception and Access) Act 1979, the Mutual Assistance in Criminal Matters Act 1987 and the Criminal Code Act 1995.
I am a member of the Joint Select Committee on Cyber-Safety. We made 13 detailed and technical recommendations in our final report. This report was tabled in this House just last Thursday. However, the government has brought on this legislation and debate merely days after the report was tabled, without the Attorney-General or Minister for Home Affairs responding to those recommendations, and the minister has given no indication whether any of these recommendations will be supported and whether there will be further amendments made by the government.
The bill facilitates Australia's accession to the Council of Europe Convention on Cybercrime, and it amends the Telecommunications (Interception and Access) Act and the Telecommunications Act 1997 to oblige carriers and carriage service providers to preserve targeted stored communications when requested by certain domestic agencies or when requested by Australian Federal Police on behalf of certain foreign countries. There are three types of preservation notices: historic domestic preservation notices, the ongoing domestic preservation notices and foreign preservation notices.
The bill also provides Australian agencies with greater access to information held overseas in the investigation of cybercrime and internet crime. It deals with domestic and foreign preservation notices. The bill ensures that Australia meets requirements under the convention, which is the first international treaty on crimes committed either against or via the internet and other computer networks. It covers a broad range of crimes committed over the internet and computer networks, particularly online fraud, child pornography and the unauthorised access, use or modification of data stored on computers, such as violations of network security.
The main objective is to pursue a common criminal policy through consistent legislation and international cooperation. As many members before me tonight have indicated, there is no doubt that cybercrime and cyber-terrorism pose very serious and growing transnational threats that are operating on a global and industrial scale. Also, the ability to share telecommunications data with foreign countries will enhance the ability of the AFP to work with foreign counterparts, both in accessing data and information required for criminal offences and providing information for foreign counterparts to deal with the growing issue of cybercrime and cyber-terrorism threats. One recommendation of the joint select committee that I would like to mention is recommendation 9 in chapter 7, proposing that a new paragraph be inserted into the Telecommunications Act requiring:
… that the Australian Federal Police report to the Minister:
In my view we need to ensure that this legislation does not assist any foreign entity, government agency or partly or fully owned government entity to access material that is commercial-in-confidence, corporate secrets or material that would give it commercial advantage through either an individual or a number of strategically requested preservation orders. However, we do not know yet whether the minister will respond to recommendation 9. I understand from the hearings that the AFP has very sound working relationships with the foreign agencies and counterparts that it deals with on these matters, and they are existing. The AFP is extremely confident that there is not currently and will not be any unauthorised or third party access to the information provided. However, I bring to the minister's attention the importance of recommendations to include the requirement that the AFP report to him any evidence that disclosed data has been passed on to a third party or parties, as recommended by the joint committee.
During the inquiry the committee heard concerns that the convention does not contain sufficiently robust privacy and civil liberties protections to offset its increased surveillance and information-sharing powers. The Law Council, the Australian Bar Association and several other submitters expressed concerns relating to the threshold for granting a stored communication warrant, to privacy safeguards and to conditions of disclosure. The bill in its current form lowers the justification threshold for foreign countries, and this was something that did concern several of the submitters to the inquiry. There is no requirement that a foreign country justify the use of stored communications. The Law Council expressed the view that foreign agencies should be required to provide sufficient information on the merits of the request, but I note that the European convention contains express limitations and assumptions that limit the scope of procedural powers by requiring that such powers be for the purpose of specific criminal investigations and proceedings.
The committee's first recommendation was that the thresholds applying for issuing a stored communication warrant for a serious foreign offence should have the same thresholds as those applying to a domestic Australian investigation. The third recommendation includes 'an additional discretionary ground to decline a request where the requesting country’s arrangements for handling personal information do not offer privacy protection substantially similar to those applying in Australia'. The committee also felt that there are justified concerns about the unrestricted sharing of data with foreign countries. There was a view that the public will have more confidence in the new regime and processes if there is an alignment of the T(IA) and MACM acts to provide clarity to police on factors to be considered, and that is reflected in the recommendations made.
The committee also dealt with the practical issue of the impact of this legislation on the validity of concurrent state criminal offences. Western Australia, Victoria and New South Wales support Australia's accession to the convention provided that this does not lead to conflicts between Commonwealth, state and territory offence provisions. I note that the proposed legislation may have some effect on state and territory governments. In fact, the government of Western Australia said in their submission:
It is important to note that accession to the Convention should not create further bureaucracy which could act to stifle established links between agencies, particularly those formed at a State level. WA Police already has strong ties with a number of … service providers in attempting to tackle cybercrime. It would be detrimental if accession to the Convention were to erode these links.
As noted in the committee report, there is current uncertainty over the constitutional division of legislative power to make laws with respect to crime. The recent High Court decision that invalidated certain Victorian legislative provisions is a decision that has brought into question the approach to resolving the validity of concurrent and overlapping Commonwealth offences. In relation to these concerns, I note that the Criminal Code provides that Commonwealth computer offences are not intended to limit or exclude the operation of any law of a state or territory and that this clause will continue to apply. However, the committee also noted continuing concern about the impact on the validity of state law at a federal level. It was noted in our report that this may be significant, which is why further consultation with the states is required.
The bill does not detail the practical handling of content or trafficked data by carriers and carriage service providers, particularly in relation to privacy and confidentiality. These are critical issues for the consumers of services provided by the carriage service providers. The privacy and confidentiality of their communications is paramount to individuals and businesses, given both commercial-in-confidence issues as well as personal information matters. The committee made specific recommendations for the data handling and the protection obligations of carriers and carriage service providers, as well as the destruction of stored communications.
Tonight I have touched briefly on some of the 13 recommendations in the committee's report into this legislation. The joint committee was quite satisfied with what we recommended in relation to this legislation. The issue of cybercrime may require ongoing and further amendments, given the level of sophistication that our law enforcement agencies are having to deal with. We can only expect that this level of sophistication will increase and that there may be a requirement for further amendments to enable our law enforcement agencies to carry out their responsibilities and discharge the obligations or requirements we place on them as a parliament and as a people. On that basis I support this legislation.
The Cybercrime Legislation Amendment Bill 2011 makes amendments to facilitate Australia's accession to the Council of Europe's Convention on Cybercrime. The convention is the only binding international treaty on cybercrime. In April 2010 the Australian government announced its intention to join 40 other nations that have signed or become a party to the convention, including the United States, the United Kingdom, Canada, Japan and South Africa.
Cybercrime poses a significant challenge for our law enforcement and criminal justice systems. The global and interconnected nature of the internet makes it easy for malicious actors to operate from abroad, especially from those countries where regulations and enforcement arrangements are weak and, indeed, from countries where it seems that some governments half approve of the activities both of the state and of individuals in violating intellectual property in particular.
On 2 August a report by online security firm McAfee into cybersecurity, entitled Revealed: Operation Shady RATthat is, remote access tool—detailed the largest cyber attack to be uncovered. The report, by Dmitri Alperovitch, revealed that over the past five years there have been targeted intrusions into 70-plus global companies, governments and non-profit organisations, including the UN, Lockheed-Martin, Sony, PBS and even the International Olympic Committee. They also include the government of Australia and this parliament. Mr Alperovitch writes:
What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth—closely guarded national secrets … source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts … design schematics, and much more has "fallen off the truck" of … mostly Western companies …
And as a member of the Joint Committee on Intelligence and Security I would say of Western governments, including Australia, France and the United States. The report notes that these attacks are more insidious and occur often without public disclosure. Further, they present a far greater threat to companies and governments where these intrusions are motivated by a desire for secrets and intellectual property. For this reason, it is critical that laws designed to combat cyber threats are harmonised or are at least compatible to allow for international cooperation.
In June 2010, the House of Representatives Standing Committee on Communications tabled a report on cybercrime called Hackers, fraudsters and botnets: tackling the problem of cyber crime. The report included consideration of the European convention which resulted in the committee recommending to the Attorney-General, in consultation with state and territory counterparts, to give priority to the review of Australian law and practice and move to accede to the Council of Europe Convention on Cybercrime. In response to this report, the government accepted the committee's recommendation:
Australia is currently in a good position to comply with the majority of obligations under the Convention. The Government is working on the final legislative amendments required for Australia to formally accede.
The convention serves as a guide for nations developing comprehensive national legislation on cybercrime, establishes procedures to make investigations more efficient and provides systems to facilitate international cooperation, including empowering authorities to request the preservation of specific communications and helping authorities from one country to collect data in another country.
I note that the Attorney-General said in his speech that the bill will enable the Australian Federal Police to require the preservation of communications on behalf of a foreign law enforcement agency. However, once again, the content of these preserved communications can only be accessed following authorisation of a stored communications warrant under a formal mutual assistance request for a serious foreign contravention. This is an offence carrying a penalty of either three years imprisonment or a fine of $99,000. That is taking the issue very seriously.
The other systems that will facilitate international cooperation include establishing a 24/7 network to provide immediate help to investigators and facilitating exchange of information. The convention promotes a coordinated approach to cybercrime by requiring countries to criminalise four types of offences, including offences against the confidentiality, integrity and availability of computer data systems, including illegal access to computer systems, illegal interception, data interference, systems interference and misuse of devices. Computer related offences include forgery and fraud. Content related offences are offences relating to the infringement of copyright and other related rights. The convention requires parties to criminalise certain types of conduct committed via the internet and other computer networks and to ensure domestic agencies can access and share information to facilitate international investigations. As such, the convention will help Australian agencies better prevent, detect and prosecute cyber intrusions and criminal activity conducted over the internet.
Australian law already complies with the majority of the obligations of the convention. In particular, jurisdictions in Australia have created relevant offences and have provided agencies with many of the powers and procedures required by the convention. The bill amends the Telecommunications (Interception and Access) Act 1979, the Criminal Code Act 1995, the Mutual Assistance in Criminal Matters Act 1987 and the Telecommunications Act 1997.
The proliferation of illegal access of data, computer enabled fraud and forgery, and attacks against computer systems pose a strategic challenge not only to Australian's political, economic and national security interests but to many other nations around the world. The threat posed by cybercrime and targeted intrusions is on a massive scale, with such attacks and crimes possibly affecting nearly every industry and sector of nations around the globe. While I cannot go into it, my experience as a member of various committees of this parliament leads me to reflect on the fact that the Attorney's legislation and the remarks that I have just made have, in my view, absolute authority. The things that have been done that I am aware of that breach cyber-security and are criminal intrusions, whether by individuals or governments, into this nation's affairs are truly astonishing. I note the member for Barton, the Attorney-General, concluded his speech by saying:
The increasing cybercrime threat means that no nation alone can effectively overcome this problem and that international cooperation is essential.
Australia must have appropriate arrangements domestically and internationally to be in the best possible position to fight cybercrime and to do it in cooperation with international partners.
I commend the Attorney-General for introducing this legislation. This bill brings Australia’s into line with the European Convention on Cybercrime and enables us to improve our ability to combat this ever-increasing threat. I commend the bill to the House.
I am particularly pleased to have the opportunity of joining the debate on the Cybercrime Legislation Amendment Bill 2011. This is an important bill. It is a bill which, in my view, is vital to be passed so that it can be entrenched as part of the law of Australia. This bill aims to improve further Australia's defences against cybercrime—which, believe it or not, is now a bigger industry world wide than the trafficking of illegal narcotics.
It is extremely difficult for those of us in the community to actually appreciate the growth of cybercrime. It was only 10 or 15 years ago that cyberspace was something that most people knew very little about. The internet has become very much a tool used by just about everybody and the new division of our society is no longer between rich and poor but between information rich and information poor.
Cybercrime is a criminal growth area that requires an equivalent growth in the strategies and tactics to combat it. Too often we hear stories of innocent computer users having their world turned upside down suddenly through identity theft, online robbery of funds and the theft and fraudulent use of other personal information like bank account numbers, credit card details and the like. We also hear of the internet being used for the commission of crimes like child pornography, online fraud and the unauthorised use of data stored on computers in computer networks.
The situation is heightened by the fact that many people using computers can turn a computer on, can log on and can participate in the internet but have very little actual knowledge of how the internet operates and how those people who are ill disposed are able to break the law of Australia by participating in cybercrime. It is also relevant to note that the internet has made the world more accessible and has made the world smaller. Cybercriminals can base themselves virtually anywhere in the world, being able to pinpoint and hone in on targets anywhere, including Australia. So the need for a truly international offensive is as important as ever.
It often concerns me that we have these microstates in some parts of the world, which, for all intents and purposes, are failed states. They are economically unviable and heavily dependent on foreign aid and sometimes on crime and the proceeds of crime. A nightmare is that a criminal syndicate or criminal people could effectively take over one of these mini states and, by doing so, acquire all of the respectable authority of being a nation state. So it is important for us to remain vigilant and for us to recognise that an international offensive against cybercrime is as important as ever.
With more and more commerce being conducted on the internet and the increase in online social interaction, in line with the growing popularity of social media sites like Facebook, Twitter and MySpace, it is not hard to see why cybercrime is the growth industry that it is and why criminals would see the opportunity to trawl the internet for their next victim and prey on unsuspecting computer users and for the internet to be a handy and powerful tool for committing all sorts of crimes. With the increase in these online offences comes a proportionate increase in the need to set up barriers and preventive measures to ensure that computer users are protected as best they can be. This bill provides for changes to be made to the laws of Australia that will enable our country to join the Budapest convention, which is otherwise known as the Council of Europe Convention on Cybercrime. Some people would ask, 'Why on earth would Australia want to become a party to the Budapest convention, or the Council of Europe Convention on Cybercrime?' Interestingly enough, the convention has been acceded to by the United States, Canada, Japan and South Africa. It was tabled in parliament on 1 March this year. As is appropriate under our system of government, the Joint Standing Committee on Treaties has had a good look at it.
This international treaty will provide for telecommunications providers in Australia to be required to preserve telecommunications data, for specific reasons, when that information is requested by international crime-fighting authorities as well as by domestic organisations, like the Australian Federal Police. Its main aim is to foster a common international policy that has, as its No. 1 goal, a regime that enables all of society to be protected against cybercrime by adopting appropriate legislation and by encouraging international partnerships and cooperation.
There have been some concerns raised with the Joint Standing Committee on Treaties that focus on issues of privacy, jurisdiction and the loss of autonomy in future investigations. Some of the submissions suggested the accession to the treaty allowed increased surveillance and information-sharing powers but did not also include sufficient privacy and civil libertarian protections to counteract these provisions. Major concerns raised in submissions focused on the collection and use of computer data.
As I said before, there will be tens of thousands, if not millions, of people—I did not say the actual numbers—who consider themselves to be computer literate but just do not really understand what happens when they turn the computer on and log on and what can occur to their privacy simply as a result of joining the World Wide Web. It should be noted in response to some of the concerns expressed by those worried about the impact of this bill that the powers granted by this bill under the treaty will not impact on surveillance activities, like wire-tapping, because the amendments focus only on data collected by telecommunications carriers.
Regarding the concerns about the impact of any overlap of jurisdictions of the Commonwealth and the states, the Criminal Code does provide that Commonwealth cyberlaws are not intended to limit or undermine the operation of any state or territory laws, so that safeguard exists. Since Federation in 1901 the states of Australia have, with some justification, been concerned about the ongoing encroachment by the Commonwealth parliament into areas which were hitherto seen as being matters of state constitutional responsibility. We all know that that has happened in a range of ways from constitutional amendment—not that the Constitution is amended formally on very many occasions—to judicial interpretation and by the Commonwealth using its treaty-making power and entering into treaties with foreign states. So it is understandable that the states see their position as constantly being eroded, but sometimes, with respect to matters such as cybercrime, I think it is important that we look at this issue on a national basis and recognise that the overall national good might outweigh what would otherwise be seen as understandable concerns by the states that constitute the Commonwealth of Australia.
That is right, honourable member for Melbourne Ports. The legislative changes outlined in this bill must be made to ensure that Australia meets the requirements that enable it to join the convention. This will help ensure that the trail of evidence left behind by cybercriminals when they commit their offences is preserved, retrievable and accessible to those investigating and fighting online crimes. The treaty fosters mutual assistance between member nations, creating an international network that embraces cooperation and mutual assistance with respect to crimes that are not restricted by international borders. Increasingly, with cybercrime becoming a greater and greater concern, crimes are no longer restricted by the boundaries of a nation state. This cybercrime-fighting convention is the first international treaty of its kind that deals with cyber and online crime. As I said before, a number of other nations not in Europe have become part of it.
This bill provides for amendments to various acts including the Telecommunications Act 1997, the Telecommunications (Interception and Access) Act 1979, the Mutual Assistance in Criminal Matters Act 1987 and also the Criminal Code Act 1995. The changes include: requiring telecommunications carriers to store communications data for specific people when requested by the Australian Federal Police on behalf of other countries, giving Australian authorities the right to obtain and disclose relevant telecommunications data for the purposes of a foreign investigation, providing for extraterritorial operation of some offences under the Telecommunications (Interception and Access) Act 1979, modifying the offences outlined in the Criminal Code Act 1995 to ensure that it has a wider and more adequate scope, and creating confidentially protections in relation to authorising the disclosure of telecommunications data.
The world of crime continues to evolve. When television first came out, a lot of people were transfixed by programs like The FBI and other programs that led us to believe that the forces of good would always outweigh the forces of evil. But time has marched on, criminals are not always what they appeared to be and it really is important that governments, nations and the world use the latest technology, whatever that might be, to make sure that cybercriminals are apprehended in the way that every other criminal should be. The internet is a powerful and far-reaching weapon. It should be used as a tool; it should be used to our benefit, and if people want to use it for another purpose then it is absolutely vital that they are apprehended and stopped.
This bill will add to the legislative arsenal that is available to fight against cybercrime. It is somewhat unfortunate that the bill has been brought into the House so soon after the release of the report from the Joint Select Committee on Cyber-Safety, so it may eventuate that we have to review some of the provisions of this legislation in the future. Having said that, this is good legislation, necessary legislation. It is legislation which may in the future be required to be changed, but ultimately it is better that we should get it on the statute books now and if it needs some tweaking in the future then obviously that is within the purview of the parliament to achieve. I am very pleased to add my voice to the voices of those people supporting the bill before the House which will, in my view, assist greatly in the fighting of cybercrime and cybercriminals. I commend the Cybercrime Legislation Amendment Bill 2011 to honourable members and to the parliament.
I am pleased to have the opportunity to speak on the Cybercrime Legislation Amendment Bill 2011. This is a bill which makes amendments to a range of existing acts which collectively give effect to the regulatory regime applying to online criminal activity today and also give effect to the framework for international cooperation between regulatory and enforcement authorities in a range of jurisdictions. For that reason, the bill amends a series of acts, including the Telecommunications (Interception and Access) Act 1979, the Criminal Code Act 1995, the Mutual Assistance in Criminal Matters Act 1987 and the Telecommunications Act 1997. The purpose of the set of amendments made by this bill to all of those acts is to ensure that Australian legislation is compliant with the requirements of the Council of Europe Convention on Cybercrime so that in turn Australia can accede to that convention. Why is it that we as a nation would be concerned by the terms of a convention agreed between a range of European nations? The answer to that question becomes clearer when you look at the substance of the provisions which will be introduced into the various acts that I have mentioned.
Firstly, under these provisions carriers and carriage service providers will be required to preserve the stored communications and telecommunications data for specific persons when they receive a request to do so from certain domestic agencies or from the Australian Federal Police on behalf of certain foreign countries. Secondly, the amendments have the effect that Australian agencies are able to obtain and disclose telecommunications data and stored communications for the purposes of a foreign investigation. Thirdly, the amendments provide for the extraterritorial operation of certain offences in the Telecommunications (Interception and Access) Act. The amendments also expand and amend the computer crime offences in the Criminal Code Act 1995 and create confidentiality obligations for authorisations to disclose telecommunications data.
All of that may sound quite dry, but speaking as a former senior executive at a large telecommunications company I assure you that these are matters which engage the attention of a large number of people in the telecommunications and information technology sectors, as well as the law enforcement and justice authorities. I want to make three key points. My first is that the international nature of cybercrime, reflecting in turn the international nature of the internet, makes this kind of international cooperation essential if authorities in any one country are to join with authorities in other countries to achieve appropriate responses to online criminal activity. The second point is that one of the aspects of this package of legislation is that there are significant operational impacts on telecommunications carriers and internet service providers. I want to highlight my concern that focus needs to be given to allowing these companies sufficient time to implement the new requirements that will be imposed upon them. Thirdly, I point to some of the non-trivial issues of process, fairness and equity of approach which have been highlighted in the very good report of the Joint Select Committee on Cyber-Safety. My view is that we need to see a response from the government on some of these issues.
Let me turn firstly, therefore, to make the point that there is a growing and international threat from cybercrime. I quote the recently departed Chief Executive Officer of the Internet Industry Association, Peter Coroneos, who said:
It is critically important for the future of the internet that we develop globally consistent policies to tackle the spectre of cybercrime and potentially, cyberterrorism.
When he made these remarks, Mr Coroneos talked about the icode model, which has been adopted by the Internet Industry Association, as a private sector response to this threat. He noted that icode is being examined by international organisations like the OECD and APEC. A private sector approach is very much to be encouraged and welcomed, but the nature of this problem is one which requires a comprehensive global approach involving the government as well as the private sector.
Let me also cite some remarks on this topic by US President Obama, speaking on 29 May 2009. He had this to say:
It is the great irony of our information age—the very technologies that empower us to create and to build also empower those who would seek to disrupt and destroy. And this paradox—seen and unseen—is something that we experience every day.
He went on to make the following observations about the American people, but you could replace the word American with Australian or indeed the identity of peoples of any country around the world. He said that tackling the problem of cybercrime was:
… about the privacy and the economic security of American families. We rely on the Internet to pay our bills, to bank, to shop, to file our taxes. But we've had to learn a whole new vocabulary just to stay ahead of the cyber criminals who would do us harm—spyware and malware and spoofing and phishing and botnets. Millions of Americans have been victimized, their privacy violated, their identities stolen, their lives upended, and their wallets emptied. According to one survey, in the past two years alone cyber crime has cost Americans more than $8 billion.
I repeat the point that similar remarks could be made about the peoples of any nation including Australia with perhaps some appropriate scaling down of that particular figure that he quoted. The fundamental point is that cybercrime is international in nature. We have known for more than 15 years that Australia's classification system faces great challenges because pornographic material can be hosted on servers around the world. I might add that the long promised internet filter from Minister Conroy is not a practical or workable solution, as he appears to have in practice conceded by hastening extremely slowly with that particular policy.
We know that criminal gangs in many parts of the world, Russia and many other countries, target consumers all around the world including in Australia. We know that fraudulent activities over the internet emerge from many different parts of the world. Those Nigerian reserve bank emails do not necessarily come from Australia, although I might add they do not necessarily come from Nigeria either. The central point is that international fraudulent and criminal activity over the internet is occurring in many different countries. Accordingly, if we are to find solutions to these problems, there must be cooperation between international authorities. The more that jurisdictions are able to link together so that cybercrime masterminded in one country but affecting victims in another can be effectively pursued the better. That is the underlying purpose of the Council of Europe Convention on Cybercrime.
To return to the question of why it is that Australia would sign up to a convention between European nations, the point is that the title is slightly misleading because so far the convention has also been acceded to by the US, Canada, Japan and South Africa. If this bill passes into law, Australia will also be able to accede to this convention. It is the first international treaty which addresses crimes committed either against or via computer networks and it deals particularly with online fraud, with offences related to child pornography and with the unauthorised access, use or modification of data stored on computers. The principal objective is to pursue a common criminal policy aimed at the protection of society against cybercrime.
I want to briefly turn to the second point I want to highlight this evening which is that the impact of this legislation on telecommunications carriers and internet service providers is significant. Drawing on my previous experience I can observe that the task of compliance with legal and regulatory obligations is a substantial one for carriers and internet service providers. It occupies a substantial amount of time and resources. The law enforcement liaison unit at Optus involves full time some 10 to 15 employees at different times of the year and those of other companies would be of corresponding sizes. The other key point to make is that when the regime changes and the legal obligations applying to carriers and internet service providers change there is a significant lead time in those companies changing their compliance arrangements. To take one specific example in this bill, if you are to impose a requirement to store data on request for up to 180 days that adds complexity and requires additional data storage capacity. That cannot be delivered overnight.
There is a tendency in government to say 'We've passed the law, we've done what needs to be done and the private sector can get on with meeting their legal obligations.' I would highlight the comments made by Telstra in its submission:
… Telstra would also like to express its serious concerns that there is no transitional period allowing C/CSPs the time to:
in order to be fully compliant with the new legislation.
I think that is a serious and substantive concern. I urge the government and the appropriate government agencies to be responsive to that point and to allow sufficient time for implementation and to give serious consideration to another point Telstra made—in my view, quite properly—which is that there is an issue of cost recovery here that needs to be dealt with. In other words, I make the point that while the principle underlying this legislation is a sound one and it is a necessary and appropriate mechanism there are some issues of implementation that need to be carefully considered.
In the brief time remaining to me I will address some of the issues raised by the Joint Select Committee on Cyber-Safety in its excellent report. They are substantive and deserve a considered response from government in the course of this legislation being considered by the House. For example, a concern was raised that the thresholds which apply to the issuing of a stored communication warrant for investigation of a serious foreign offence should be the same thresholds that apply for domestic investigations. There was a concern raised that law enforcement agencies of a foreign country could request information in circumstances where there are not privacy protection measures in place in that foreign country which meet standards that we in Australia would regard as acceptable. The Law Council of Australia argued that while it does not object in principle to assistance between international police forces the ability of Australian law enforcement agencies to share data directly with counterparts overseas should be subject to strict conditions.
Finally, one of the concerns raised was by state governments noting that this legislation greatly expands the scope of the Commonwealth computer crime offences and raises the question of the impact of this on the existing state legislation. Therefore, while I am a supporter of this legislation in the broad, I make the point that there appear to be some details which ought properly be addressed by this government in the course of taking this legislation through the parliament.
I welcome the opportunity to speak tonight on the Cybercrime Legislation Amendment Bill 2011. All members of this place would be aware—or at least their staff would be aware—that in recent weeks we have received a great number of emails. These emails have come from our constituents and from around the country. They have been sent to us for the purpose of trying to persuade us on a number of issues: live animal export trade, same sex marriage or even the carbon tax. These are things that of great concern to Australians and we should never believe that we can dismiss these matters out of hand.
I always say to my staff, if it is important enough for someone to contact our office it is important enough for us to do something about it. I would probably hesitate to say that that applies to people within my electorate but I guess I cannot help everyone around the country. It really does say something that in the modern age it is very easy to communicate. It is very easy to reach out across cyberspace and make contact with somebody out there. People can do that not only in the case of their particular cause but also in the case where they are up to no good or they may be committing a crime. A person used to be required to put pen to paper or get the old typewriter out and find a stamp then whack it in the letterbox, but in the modern age that is not the case any more. This has opened up a wide variety of criminal options that colleagues have mentioned during the debate.
As I said, in the same manner that we have been the destination for several email campaigns in recent weeks, Australians have for many years been the target of persons offering dodgy deals and rip-offs via email. It is a very cheap means of delivery. With the right computer programs, millions of emails can be sent out as bait just waiting for someone to respond. Those of us who check our Parliament House email accounts will find great offers from those overseas trying to transfer money out of the country, offering us a percentage of millions of US dollars that they have access to. That is the reality, but as always the snake oil salesmen of the modern era offer a deal that is just too good to be true. Sadly, in spite of receiving an unsolicited offer from a person they do not know offering money that does not belong to them or to the originator of the email, many people are drawn in by this and taken in by the deception. It is pretty much an everyday event in Australia. I note that in the 2007-08 financial year, as colleagues have said tonight, the ACCC received 12,000 online scam complaints. Whilst we may distribute from our office the little black book of scams, unfortunately there will still be Australians that will be taken advantage of or might be deceived by these sorts of criminal activities.
This is just one part of cybercrime and in many ways it is the low end, the unsophisticated end. Although it is a significant acknowledged problem around the world, we know that the only multilateral international treaty on cybercrime is the Council of Europe Convention on Cybercrime. It is in relation to the convention that we are having this debate about this bill which provides for the necessary amendments to Australian laws to facilitate our entry to that convention on cybercrime. As has been said before, this convention is also known as the Budapest Convention.
The main results of this bill being passed will be the imposed requirements on carriers and carriage service providers to preserve data for specific persons when they have been requested to do so by domestic agencies or by the AFP, the Australian Federal Police, on behalf of foreign countries. The Budapest Convention is all about crimes committed either against or via networks and it is focussed particularly on online fraud, unauthorised access, use or modification of data stored on computers and the particularly insidious child pornography crimes. In many ways the convention is about establishing a common criminal policy and taking away the opportunities for criminals to have an easy path for their criminality which they can base in any country. The convention does so by having countries adopt consistent laws and ensuring the best opportunities for fostering international cooperation.
The reasons for the convention and the need to act are apparent. For instance, in February 2008 a hacker attacked the Australian Stock Exchange website bringing it down for four hours. Although the attack could probably be more described as something like a cybergraffiti attack than the destruction or altering of figures or the theft of information, the damage that could have been done could have been even greater given that it was in January 2000—just one month before—that live company and share price information was added. Though the four hours represented just a significant inconvenience, it did prove to be a lesson for the future—but, unfortunately, there have been many incidents since then.
An incident which demonstrates another aspect of information security is the report that a US car maker suffered an incident a few years ago. Apparently a disaffected employee walked out of the building and away from their job but carried with them the latest prototype plans for a car on a flash drive. Those plans were apparently leaked and the cost in lost sales as customers decided to wait for the next model to come out, together with some research and development problems, was estimated at $1 billion.
It is probably the reason that these days if someone decides to resign from a company or is let go by a company often they are escorted from the building. With computers on every desks these days it is very easy to take damaging information away from any business. That is, again, an aspect of the modern world. In just May this year it was reported that Sony was the subject of a cyberattack which resulted in its Playstation network being offline for 23 days because information from tens of millions of subscribers was accessed. The cost was some $171 million.
I, like most members, have an RSA security token on my key ring. This token allows us to get remote access to the parliamentary computer network. On 21 May this year, Lockheed Martin, a large US military contractor, announced that they had sustained what they described as a 'significant and tenacious attack'. That attack occurred using data stolen from RSA—the security token producer—in a hacking in March this year. So we can see that these events are not occurring in isolation and that the skill of these criminals has application beyond the initial crime itself.
I also note that in the first three months of 2011, McAfee, the antivirus company, estimated that some six million malicious—or malware—software programs had been unleashed onto the internet. Again, it is a reality that while there is imagination in the world, there will be someone out there looking to create computer programs designed to separate information or money from those that they wish to target. They will do it for the money or as some sort of challenge. It may be for personal gain or it may be for some political statement. But they are out there and they exist and they are, without doubt, up to no good.
When Mr Rudd was the Prime Minister, there was a major attack on the Australian government's major website. It was apparently hacked in protest. It is a stark reminder to us all that, just because we are in the business of government in this place, we are most definitely a source of interest for attackers and criminals and there are vulnerabilities that we must always be on our guard against.
Before moving on to aspects of the actual bill itself, I wish to spend a bit of time on the most heinous crimes of all—that being the sexual abuse of children. Without a shadow of a doubt, it is a reality that out there in the world—in this country—today there are evil people. There are people who abuse children and there are those who seek to derive financial gain out of abusing children. In the past these evil tendencies were mainly suppressed because these terrible people did not have access to things like the internet. Nowadays, they can seek to indulge their depravity through their perceived anonymity on the internet. Fortunately, this perception of anonymity is not true anymore because we have officers of the Australian Federal Police and other agencies around the world intercepting emails and getting into the chat rooms to find these people, getting into the social media and the other means by which these images are exchanged. More and more of these pathetic yet terrible people are being found out and dealt with, and that is good because if these people feel the inclination to look at those sorts of photos they are more likely to act on the impulses they have. It is not just the looking; it is in fact because of the symptoms of evil people that they should languish in jail. People who look at such images just cannot be trusted in society and have to be dealt with to the full extent of the law. In my view, I have grave doubts that rehabilitation is ever possible for people like that. I am sure that taxpayers would not mind them languishing in jail for the rest of their lives, but that is a personal opinion.
With regard to the convention, it would appear at the outset that it is only about European nations. But, as we know, the United States, South Africa, Japan and Canada have all acceded to the convention. The Treaties Committee, JSCOT, has looked at the convention and reported on it as well.
In Australia the existing laws that will be amended by this bill include the Telecommunications Act 1997, the Telecommunications (Interception and Access) Act 1979, the Mutual Assistance in Criminal Matters Act 1987 and the Criminal Code 1995. The amendments will, as I have previously stated, require carriers and carriage service providers to preserve the stored communications and telecommunications data for specific persons when requested by certain domestic agencies or when requested by the AFP on behalf of certain foreign nations. The amendments will also ensure Australian agencies are able to obtain and disclose telecommunications data and stored communications for the purposes of a foreign investigation. Those are just some of the things that this bill will do. As I said, the bill has been looked at by JSCOT and more recently—just in the last few days—reported on by the Joint Select Committee on Cyber-Safety.
In the very limited time I have left to speak on this bill, I want to say that everyone in this place acknowledges the need for action on this matter, and not just for action today. As I said before, while imagination exists, people will come up with more and more sophisticated methods to commit crime and particularly crime through information technology, or cybercrime. So I anticipate that we or our successors in this place will continue to address these sorts of problems. Because I guess there will always be bipartisan support to take action on these matters, the challenge will be to try to do that without making the future so onerous on the service providers in this country that they can no longer able to operate. But we should be very certain that there is bipartisan support for strong action on these matters, and let us hope there always will be.
The Joint Select Committee on Cyber-Safety, in the short time available to it, issued a very detailed report with 13 very strong recommendations to improve the Cybercrime Legislation Amendment Bill 2011 that we are now debating. I am extremely concerned that the hard work of that committee is being ignored. Though the committee's report does not address all of the concerns that the Greens and other stakeholders have had about how this bill would operate in practice, it does propose some very solid improvements to the bill. As my colleague Senator Scott Ludlam has indicated, the Australian Greens continue to believe that there are fundamental flaws in this cybercrime bill and the controversial European Convention on Cybercrime that it seeks to implement. In fact, this bill goes further than the problematic European treaty. Unlike the European treaty, this bill requires the ongoing collection and retention of communications. Unlike the European treaty, this bill requires police to pass on data even if it is inconsistent with human rights standards. And, very concerningly, this bill leaves open the door—