Sussan Ley (Farrer, Liberal Party, Shadow Minister for Justice and Customs) Share this | Link to this | Hansard source

I am pleased to speak on the Telecommunications (Interception and Access) Amendment Bill 2009. This bill will amend the Telecommunications (Interception and Access) Act 1979, the T(IA) Act, to implement a full legislative solution that clarifies the basis on which communications can be accessed for the purposes of protecting a computer network. In order to give this bill and its proposed amendments some context, I would like to quote from the discussion paper and exposure draft legislation produced by the Attorney-General’s Department in July of this year. I would also like to reflect on some remarks within the EM to the bill.

Increasingly, the use of online services by individuals, governments, business and the not-for-profit sector means that sensitive information is regularly transmitted and stored electronically. I think it is fair to say that there has been an absolutely exponential boom in the online storage of progressively more and more sensitive information. Accessing or disrupting the carriage of this information can provide significant financial and other benefits for criminal elements. Protecting information and computer infrastructure from malicious attack is a key concern for governments and for the growing number of computer network owners, whose networks hold and transmit such information.

In 2008 the Australian Bureau of Statistics reported that, between June 2006 and June 2007, 86 per cent of all businesses reported that they used the internet, one-third of all businesses reported that they had a web presence, 40 per cent of all businesses reported they had placed orders via the internet and just over one-fifth of all businesses reported they had received orders via the internet. Businesses estimated that approximately $68 billion was generated by these orders, or 3.5 per cent of total income from the sales of goods and services. The ABS has reported that as at December 2008 there were almost eight million subscribers to the internet in Australia. Of these, 1.3 million were businesses and government subscribers and 6.7 million were household subscribers.

As sectors of the community become more and more reliant on internet technology to relay and store sensitive information, the potential grows for people, including organised crime and terrorist groups, to harm individuals and organisations through malicious access to such information. Accordingly, protecting sensitive information from these attacks is something that we in this parliament should be holding front and centre of our concerns. I am pleased to say that the coalition support the Telecommunications (Interception and Access) Amendment Bill although, as we did with the previous bill of this type, we foreshadow amendments pending the recommendations of the committee to which this bill has been referred.

The A-G’s Department developed a proposal to amend the T(IA) Act to allow all owners and operators of computer networks in Australia to undertake activities to protect their networks. A draft proposal was set out and submissions were received, and I thought that the public comment was very valuable indeed.

The actual substance of the bill, as I said, seeks to amend the T(IA) Act to enable the owners and operators of computer networks to undertake activities to operate, maintain and protect their networks; to enable Commonwealth agencies, security authorities and eligible state authorities to ensure that their networks are appropriately used by employees, office holders or contractors of the agency or authority; and to limit secondary use and disclosure of information obtained through network protection activities and require the destruction of records obtained by undertaking network protection activities when the information is no longer required for this purpose.

As noted in the bill’s explanatory memorandum, the increase in online services by individuals, governments and businesses is what has generated the need for these amendments, as well as the increasingly apparent use of criminal syndicates who exploit weaknesses in the carriage of information across the world. We should note that not all network protection activities are currently lawful under the Telecommunications (Interception and Access) Act. Whether an activity is lawful depends on the particular characteristics of the activity that is undertaken, where and by whom it is undertaken and whether or not there is an awareness by the affected person that the activity is being done. An example of this would be someone who is undertaking network protection activities. They may need to copy a communication before it is delivered to the intended recipient but, under the T(IA) Act as it now stands, copying is only allowed at certain points in the delivery of that communication and under certain conditions. This means that network owners and operators are vulnerable to inadvertently breaking the law prohibiting interception. The T(IA) Act currently includes special exemptions that enable interception and security agencies, as well as certain government departments, to access communications on their own computer network for network protection activities. However, these provisions are not permanent; rather, they were intended to operate on an interim basis while a comprehensive solution covering both the public and private sectors was developed. So these provisions cease to have effect after 12 December 2009.

The current bill before the House will also improve the effectiveness of the Australian telecommunications access regime by extending the evidentiary certificate regime to lawful access to telecommunications data authorised under chapter 4 of the Telecommunications (Interception and Access) Act and allowing the managing director or the secretary of a carrier to delegate their evidentiary certificate functions; by clarifying that lawfully intercepted information can be used, communicated and used in proceedings by the Australian Federal Police in applications for interim and final control orders and initial and final preventative detention orders under divisions 104 and 105 of the Criminal Code Act 1995; and by making consequential amendments to reflect amendments to the Police Integrity Commission Act 1996 of New South Wales in relation to the investigation of the corrupt conduct of an administrative officer of the New South Wales Police Force or the misconduct of an officer of the New South Wales Crime Commission.

As mentioned in the explanatory memorandum, the bill ensures that all legitimate activities in relation to protecting computer networks—whether it is the infrastructure or the information stored or transmitted by them—which are undertaken by network administrators in either the government or non-government sectors do not inadvertently constitute an offence under the T(IA) Act. However, the new provisions do not make such activities compulsory. Utilising the provisions in relation to network protection remains at the discretion of the owner or operator of the network.

As with all measures that seek to protect us, and in this case protect us from a vast range of information being exposed to criminal networks, the issue comes down to a person’s right to know, a person’s ability to use information that they acquire in the course of protecting a network and the privacy of the individual concerned. I note that the Office of the Privacy Commissioner, in making a submission to the Senate Standing Committee on Legal and Constitutional Affairs, has a number of suggestions aimed at enhancing aspects of the bill. I note those because I think they well illustrate the tension in a debate of this nature. Those recommendations are that the bill could provide additional guidance on the operation of the provisions to assist organisations to train authorised persons in respect of what action is lawfully permitted to be undertaken under the scheme. Any exceptions permitting secondary uses or disclosures should be well defined. So these exceptions should align with community expectations and be based on clearly articulated public policy reasons—that is, if you proceed to use, for secondary purposes, information that is acquired in the course of protecting a network. In clause 15, regarding misuse of the computer network, the bill should clarify that disciplinary action applies to activities that pose a risk to network security only. Consideration could be given to including in the bill a provision to allow individuals access to intercepted communications that relate to them, to be modelled on national privacy principles in the Privacy Act. The Office of the Privacy Commissioner also suggests that all intercepted records of a communication, whether the original or a copy obtained for the purpose of network security, should be destroyed when no longer needed for that purpose. That strengthens the requirement to destroy information.

As I noted, the bill was referred to the Senate Standing Committee on Legal and Constitutional Affairs on 17 September and it is due to report by 16 November. While the coalition supports the bill, we foreshadow the possibility of amendments in the Senate pending the committee’s recommendations.

Chris Hayes (Werriwa, Australian Labor Party) Share this | Link to this | Hansard source

I rise to also lend my support to the Telecommunications (Interception and Access) Amendment Bill 2009, a bill that will principally amend the Telecommunications (Interception and Access) Act 1979, the T(IA) Act, to ensure that the actions of network administrators to operate, protect and maintain computer networks will not breach the Telecommunications (Interception and Access) Act. These amendments are technical. They have been brought about to ensure that the overall objectives of the Telecommunications Act 1997 are being met and not frustrated by the speed of technology and the speed with which systems operators need to move to protect the information that is gained in and about their networks. These amendments are necessary to legitimise the activities aimed at securing the integrity of networks and the information that is contained in those networks.

It is no surprise to anyone in the House that we are continuing to increase our use of internet network transmissions not only in the normal day-to-day lives of individuals but also by businesses and the community generally. In fact, Australians are more active online users than the people of most other nations. Over the past few years we have seen a move away from the more traditional methods of communications—I must say that these are the ones that personally I have been a bit more comfortable with—to those which are now more familiar to an up-and-coming generation and certainly to the business community, who know of the need for instantaneous communication if they are to be in a position to win contracts and have a forthright position in leading within the business field in this country. We are now communicating more over the internet and having information exchanged instantaneously through digital processes for just about every business opportunity that exists in this country. It is for this reason that most businesses now have an online presence to enable them to communicate and, essentially, expand their trade not only as to what they do here but also as to the way in which they are actually able to apply their trade in terms of worldwide activity. We know the technology is providing us with unprecedented access to trade around the world and therefore it is vital not only for trade but also for our local community. That is one of the reasons why this government has committed $42 billion to building the National Broadband Network, a project of Snowy Mountains scheme proportions for the 21st century. This will give our businesses the boost they need to be competitive on the world stage.

However, with the increased use of online communication comes a high incidence of a new emerging crime, cybercrime. I have spoken in this place many times about criminal activity not being one matter that is actually born and bred in any particular crime base. Criminals will move to actually exploit loopholes with a view to getting returns on their investment in crime. At the moment cybercrime is one of those things that is attracting serious money for various groups of individuals in terms of setting up criminal enterprises to benefit the less than law-abiding citizens of our country. According to a global survey of nine countries in 2008 conducted by a software security vendor, AVG Australia, Australia has the highest incidence of cybercrime in the world. The study—which canvassed 1,000 users in each of the countries of Australia, the US, France, Germany, Italy, Spain, Sweden, Brazil and the Czech Republic—found that more than 39 per cent of Australians have been the victim of some form or other of cybercrime. That is compared to 32 per cent in Italy, 28 per cent in America and just 14 per cent in Sweden and Spain. It is certainly of no surprise to me just how sensitive is some of the information that is being sought out there at this stage when you think about what is being accumulated online, particularly when it relates to such things as medical records, banking details, phone numbers et cetera. All are certainly not in the public domain, but through criminal enterprise cybercriminals are actually trying to attract that information as their form of business. What they then do with that is exchange it on the black market, therefore identify theft has become such a big issue not only in this country but around the globe. In Australia alone the proceeds of identity fraud are estimated to be something around $6 billion a year. I have seen identity fraud figures being touted that suggest it is something in the vicinity of $100 billion worldwide. So it goes without saying that we must do whatever we can to defend Australia’s computer networks.

We have an obligation to protect Australians and certainly Australian businesses from malicious access to their personal information or their business information. We actually do that by building confidence in this new emerging digital economy. As it stands, network operators can undertake protective activities to protect their networks. However, as attacks are becoming so frequent and more refined, many operators’ actions in defending their networks may be regarded, without their intending to be, as breaches of the Telecommunications (Interception and Access) Act 1979. This bill will amend the act to ensure that network operators can undertake legitimate activities aimed at securing their networks and, importantly, the information that is contained on those networks. We know that currently an exemption exists under the act for network protection activities undertaken by designated security and law enforcement agencies. In fact, early last year the parliament agreed to extend the operation of these provisions until 12 December this year. This was related to timing to give more opportunity to build broader solutions relevant to all networks, both government and non-government, as they were being developed.

It should be noted that the protection regime proposed in this bill has been amended following the result of an active consultation round that occurred with various law enforcement agencies, including the Australian Federal Police; the business community; and other stakeholders. It is also important, I believe, to note that these amendments strike a balance between protecting computer networks from malicious activities whilst also protecting the users of these networks from unnecessary or unjustifiable invasion as to their personal information. Under this revised approach, this bill will have a couple of major impacts. Under it all networks will be able to intercept communications at the network boundary in order to protect the network. Intercepted material may be communicated for the purpose of performing network protection duties and investigating criminal offences. Only network operators within interception agencies, intelligence agencies and Commonwealth departments responsible for security collection of foreign intelligence, defence or the conduct of the Commonwealth’s international affairs will be able to monitor reasonable use of certain information in certain circumstances. This will mean that employees in private or non-government organisations—and most other government agencies for that matter—cannot be the subject of disciplinary action under the network protection provisions, given that they use the network appropriately, properly and in accordance with the agreed use.

This bill also includes several important amendments that will improve the effective operation of the act, including amending the definition of ‘permitted purpose’ in relation to the New South Wales Police Integrity Commission to reflect an expansion in the role of the commissioner. Further, the bill will also clarify that information that has been intercepted by the Australian Federal Police in the course of investigations into serious offences, including terrorism offences, can be used by the AFP for purposes associated with the making of control orders and preventative detention orders under the Criminal Code. These technical amendments, along with a couple of others that I have not had the opportunity to mention, will ensure that the act continues to be clear and relevant in the obligations and the powers it imposes on carriers and on law enforcement agencies. This bill marks an important step in the government’s commitment to building confidence in the online world. I commend the bill to the House.

Luke Simpkins (Cowan, Liberal Party) Share this | Link to this | Hansard source

As a former member of the Australian Federal Police I have some background in the area of interception of telecommunications, not from a technical perspective but from a hands-on involvement in monitoring communications and listening devices. It is in that area that I had some experience. In 1987 I undertook some work in the eastern suburbs of Sydney listening in on a suspected drug trafficker as a precursor to searches that would later take place. While the language used in most of the recordings was Cantonese, so an interpreter was required, we nevertheless had the responsibility of listening in for any English language information that could be obtained and, via a hidden camera, we were also observing the premises for suspicious activities. Spending a number of eight-hour shifts continually listening and watching gave me a great appreciation of some of the less interesting but nevertheless necessary jobs that had to be done by the Australian Federal Police.

I would also say that, having had discussions with a number of my constituents about these and related matters, I know that the vast majority of Australians adopt the supportive line that these sorts of laws, properly authorised in warrants, are necessary to protect the law-abiding citizens of this nation. The typical Australian would say, ‘If you’re not doing anything wrong you shouldn’t object.’ That is pretty much the standard attitude towards telecommunications intercepts and a range of police capabilities that are described by typical Australians as good and by a noisy but peripheral minority as an infringement of human rights. So I am confident in saying that the majority of Australians appreciate the safety provided by law enforcement agencies with effective capabilities as outlined in these sorts of laws.

In recent times we have had our law enforcement agencies intercept information that has resulted in arrests and trials of terrorism suspects. It seems there are some in this country that seem so keen on protecting the rights of terrorists that they are willing to weaken our defences and risk the lives of innocent people in this country. Without the ability to intercept communications, collect intelligence and ultimately evidence, this country would be seriously weakened. There are two problems with those who oppose these sorts of capabilities. They labour under the serious misconception that those who seek to wreak havoc, destruction and death across this country can be reasoned with, and that is one problem. The second problem is somewhat ironic, that they have the freedom to protest these laws under the protection and freedoms that are provided by these laws and others related to them.

Moving away from those that oppose these laws, I think it is also very sad that there are some people in this country that have taken up citizenship and seek to change this country in a fundamental way. By that I mean that those who have recently been convicted in the Sydney terrorist trial are from families that have come to this country and used the superior freedoms and liberties of this country while finding fault with this country and seeking to change it with their extremism and fundamentalism. I think it is all very well that we have the ability to grant citizenship, but what we should have is the ability to withdraw that citizenship from those who seek to betray this nation with acts of murder and terror. These are the reasons why the need exists to have strong laws to support the technologies available for interception and accessing telecommunications.

Turning to the specifics of the Telecommunications (Interception and Access) Amendment Bill 2009, it is the nature of this modern age that important information is vulnerable when it is held electronically. With the benefits of easy access to electronic information in departments and agencies and the systems of other organisations also comes the vulnerability that it could be illegally accessed. Damage to that information, the altering of that information or the stealing of that information may realise a benefit for those responsible and will result in a cost in physical terms and in terms of the standing of the organisation. These are the threats we are faced with.

On 12 December this year the interim measures that had been put in place for network protection activities will cease. This bill is now required to provide a permanent and comprehensive basis upon which public and private sector organisations can access communications on their own networks and protect their computer networks. The amendments provided for in this bill include: to allow computer network owners and operators to operate, maintain and protect them; to enable agencies to take steps to ensure their networks are being used appropriately; and to limit the secondary use and disclosure of information through network protection activities, including reporting illegal behaviour and taking disciplinary action. This will result in organisations in the public and private sectors being able to check the actions of employees when they access the organisations’ networks. The emphasis will be on appropriate use of those networks, or in other words that access to any files had a legitimate reason surrounding it.

These amendments have created concern in some areas; however, the warning is there now for all those who may wish to go beyond appropriate use of public and private sector networks. While these amendments appear reasonable, I understand that a Senate committee is still looking at this bill, and issues with the bill will no doubt be taken up in the Senate when the committee reports by 16 November this year. With that consideration, amendments may result in the Senate.

I reiterate that we should always look towards strengthening laws that make this nation safer and that reduce the threats that would undermine our institutions. While the issue of inappropriate use of networks may not seem on the surface to be dramatic in its effect, the integrity of information held by government agencies is vital and may in certain circumstances have national applications, and even information held by other organisations could threaten the future of those organisations, with implications for employment and downstream negative economic outcomes. I support the intent of this bill and, barring possible amendments in the Senate, look forward to its passing.

Robert McClelland (Barton, Australian Labor Party, Attorney-General) Share this | Link to this | Hansard source

in reply—I thank members of the House for their contributions to the debate. The contributions of the members who spoke today—the members for Farrer, Cowan and Werriwa—were considered and helpful. The Telecommunications (Interception and Access) Amendment Bill 2009 recognises the important role technology plays in the way we store and exchange information. Passage of the bill will help secure sensitive information from criminal access, protecting Australians from criminal activity and ensuring the integrity of vital infrastructure. For the first time, all Australians will be able to undertake certain activities designed to protect their computer network, without breaching the act.

This is an important step forward which matches the growth in sophisticated attacks with the capacity to defend a network at the earliest possible point. However, network protection activities will only be lawful if they are conducted in accordance with the provisions that are set out in this bill. Network protection activities cannot be undertaken without reason, nor can the information obtained through these activities be used for any other purpose. Rather, the proposed network protection regime maintains the integrity of the interception regime by balancing the need to protect networks from malicious attack with clear limitations on the circumstances in which access, use and disclosure of information will be permitted.

The bill also includes several amendments that will improve the effective operation of the act, ensuring it continues to be clear and relevant. Similarly, the new network protection regime responds to a new and very real threat. By ensuring that network owners can undertake legitimate activities aimed at securing their network and the information it contains, this bill will build Australia’s confidence in and use of the online world.

Question agreed to.

Bill read a second time.