Robert McClelland (Barton, Australian Labor Party, Attorney-General) Share this | Link to this | Hansard source

I move:

That this bill be now read a second time.

Over the last few years Australians have rapidly increased their internet and computer use.

More Australians than ever are communicating online to create and exchange information socially and for business.

Growth in the digital economy means that most Australian businesses now have an internet presence.

Advances in technology together with consumer demand and cost-effectiveness will drive further expansion into the online world.

This is very important for the Australian economy. Technology provides the opportunity to reduce the geographical isolation that we experience from major trading markets.

At the same time, the ease with which information can be collected and communicated means that even home users have sensitive personal information on their computers.

It goes without saying that employers often hold sensitive information about employees and customers such as banking details, medical records and contact details for family members. This information can be extremely valuable to cybercriminals, rendering users vulnerable to credit and identity fraud and opening the door to large-scale attacks on businesses and government agencies and employees whose information is retained by those businesses and agencies.

Securing such information from malicious access is critical to protecting Australians from criminal activity, building confidence in the digital economy, ensuring the integrity of key infrastructure and protecting private identity information from being stolen by criminal organisations.

Defending computer networks from criminal and malicious activities is an important first step.

Currently, network operators can undertake protective activities once a communication becomes accessible from a computer server or at an earlier point in time with the consent of the persons using the network.

As attacks become more sophisticated, there is an increasing need for network operators to defend their networks at the earliest point.

Currently, though, in the absence of the knowledge of users, and indeed their express consent, such activities may be regarded as a breach of the Telecommunications (Interception and Access) Act 1979.

While consent can easily be obtained from internal network users such as employees, external users may not be aware that their communications are being monitored.

Yet communications from external users are in fact the ones that generally pose the greatest risk to networks.

This bill amends the act to ensure that network operators can undertake legitimate activities aimed at securing the integrity of their network and the information it contains.

Currently an exemption exists under the act for network protection activities undertaken by designated security and law enforcement agencies to enable them to protect their networks.

Early last year the parliament agreed to extend the operation of these provisions until 12 December this year while a broader solution relevant to all networks, both government and nongovernment, was developed.

The network protection regime proposed in this bill is the result of active consultation with a broad range of stakeholders, including representatives from the business community, law enforcement agencies and user groups.

I note that the bill has been modified to address a number of concerns raised in submissions in order to strike an effective balance between protecting networks from malicious activities while protecting users from unnecessary or unwarranted intrusion. Essentially it is about balance.

Central to this, the bill recognises the general prohibition against interception and clearly identifies the circumstances in which the access, use and disclosure of information for network protection purposes will be permitted.

The bill does not oblige network operators to undertake network protection; nor does it specify any type of technology that must be used. I stress and emphasis that because there was some criticism, when this matter was originally put in the public domain for disclosure, that in some way the government was avoiding its responsibilities to protect networks and putting those responsibilities on private users. That is not the case.

Clearly, however, prudence and informed use suggest that those measures should be taken and, if they are taken, network managers should not be exposed to criminal sanction that most probably would occur under the existing legal framework.

Rather, the amendments that we are proposing focus on providing clear guidance about when communications can be accessed for network protection activities and the legitimate use and disclosure of information obtained through these activities.

Under the proposed regime, network protection activities that copy or record a communication, without the consent of the sender, before that communication is available to the intended recipient, will be unlawful unless certain conditions are met.

Interceptions must be carried out by a person lawfully authorised to carry out duties relating to the protection, operation, maintenance or, in limited circumstances which I will refer to subsequently, appropriate use of that network.

In addition, interception of a particular communication must be reasonably necessary for the performance of those duties.

Once information has been collected, it can only be disclosed to a designated person or, in limited circumstances, to a law enforcement agency. Any such disclosure will be discretionary. I emphasise that.

Law enforcement agencies will not be able to compel network operators or employers to provide information to them under the provisions that we are introducing. Nor can information be used or communicated if it is converted into a voice communication in the form of speech.

This means that telephone communications will not be accessible under these provisions, preserving the integrity of the interception warrant regime.

The bill also enables designated government security authorities and law enforcement agencies to protect their networks against inappropriate use. Again, I emphasise that the capacity to protect networks against inappropriate use will be restricted to designated government security authorities and law enforcement agencies—and specifically not the broader employment market.

While the majority of threats come from external sources, in order to protect information held in sensitive networks—such as, or specifically referring to, security authorities and law enforcement agencies—it is also necessary to ensure that persons working in such organisations use the network appropriately or in accordance with the agreed use.

This capability is consistent with the current network protection provisions which enable these agencies to undertake network protection activities for this purpose.

As the description of an appropriate action will vary between these government organisations, the bill limits network protection activities undertaken for this purpose to any reasonable uses and conditions set out in a user agreement between the agency or government organisation as employer and their employees, contractors or others identified in the specific terms of the legislation.

It is anticipated that existing IT user agreements within these organisations will meet this condition.

Information suggesting inappropriate or illegal conduct by an employee or person working for one of these specified government organisations—that is, as I have specifically mentioned, limited to security and law enforcement agencies as defined in the proposed legislation—will be able to be communicated or used for disciplinary purposes as long as that communication or use does not contravene another Commonwealth, state or territory law.

This specific preservation of state and territory laws protects workers by ensuring that these government employers cannot avoid applicable state or territory workplace relations requirements or workplace surveillance laws by accessing information under this act. Currently, no such protections exist in the act.

As network protection activities operate outside the scope of the act, there is no protection or guidance on the legitimate use and disclosure of information obtained by network owners for network protection purposes.

This means that, in the absence of other relevant statutory duties, there is a real risk that information can be used inappropriately against network users.

The network protection regime set out in this bill clearly addresses this gap, providing specific direction to all network owners and operators about the circumstances in which communications can be accessed for the purposes of network protection activities and the legitimate purposes for which information can be used.

The bill also includes several amendments that will improve the effective operation of the act. The bill amends the definition of ‘permitted purpose’ in relation to the New South Wales Police Integrity Commission to reflect an expansion in the commission’s role. Information intercepted in the course of investigating a serious offence will be able to be used for the purposes of investigating conduct relating to administrative officers of the New South Wales Police Force and officers of the New South Wales Crime Commission.

The bill also clarifies that information that has been intercepted by the Australian Federal Police in the course of investigating serious offences, including terrorism offences, can be used by the Australian Federal Police for purposes associated with the making of control orders and preventative detention orders under divisions 104 and 105 of the Criminal Code.

Finally, the bill makes amendments to the provisions of the act that relate to evidentiary certificates. The bill will enable the managing director of a carrier to delegate his or her authority to sign evidentiary certificates in relation to interceptions authorised under a warrant issued to the Australian Security Intelligence Organisation (ASIO) and information authorised under a stored communications warrant issued to a law enforcement agency.

These amendments replicate current provisions in relation to interceptions undertaken in relation to a warrant issued to law enforcement agencies. The bill also contains provisions enabling evidentiary certificates to be issued in relation to the access of telecommunications data. The amendments will ensure that sensitive interception capabilities will not be exposed in the course of court proceedings.

These technical amendments will ensure that the act continues to be clear and relevant in the obligations and powers it places on telecommunications carriers and law enforcement agencies.

This bill will maintain the currency of the act by ensuring it responds to new and emerging challenges. The introduction of a comprehensive network protection regime will, for the first time, provide clear guidance on when network protection activities can be undertaken and the conditions that must be complied with when dealing with related information.

By enabling networks to protect their infrastructure and information while recognising the importance of user privacy, this bill marks an important step in this government’s commitment to building confidence in the online world. I commend the bill to the House.

Debate (on motion by Mr Billson) adjourned.