Wednesday, 22 August 2012
Cybercrime Legislation Amendment Bill 2011; Second Reading
Last night I admit that I was taken unawares because Senator Mason, uncharacteristically and shockingly, did not use his full 20 minutes. That is why I was caught on the hop. I broadly support this bill and I am glad that it goes some way to addressing a very serious issue in our society, a problem in which our children are particularly vulnerable—that is, cybercrime. For me and many fellow South Australians nothing brings home the seriousness of cybercrime more so than Carly Ryan's story. Devastatingly for Carly's family and friends, she is not with us today to tell it.
Carly Ryan lived with her mother, Sonya Ryan, in Stirling in the Adelaide Hills. In 2006, when Carly was just 14 years old, she started chatting online with someone she thought was a 20-year-old called Brandon Kane. Brandon was the boy of her dreams and the two formed a close online friendship. Her mother later said about her daughter, 'She was like a giddy teenager in love—really happy, really light and really excited.' What Carly did not and could not have realised is that behind the online conversation with Brandon was not a 20-year-old musician at all. Brandon Kane did not exist. Instead she had unknowingly developed a relationship with Garry Francis Newman, a 47-year-old man who lived with his mother. The divorced father of three had 200 fake identities, but it was that of Brandon Kane that he used to lure young Carly. Police would later to discover child pornography on Newman's hard drive, and it was also revealed that he had pursued two other 14-year-olds—one in the United States and one in Singapore.
Carly invited her new beau, Brandon, to her 15th birthday party. The so-called Brandon told Carly that he would be overseas and could not make it but that his adopted father, Shane, would go in his place. Shane and Carly began chatting online and the teenager convinced her mum that it would be okay for Shane to come along to her birthday party. Newman turned up to the party as Shane. When Ms Ryan learned he and Carly had become close, she warned him to stay away from her daughter. Newman became enraged and on 19 February 2007 he convinced Carly to go with him to Victor Harbor to meet her beloved Brandon. The next morning passers-by discovered Carly's body bashed and drowned at Horseshoe Bay, Port Elliot. She was just 15. A jury found Newman guilty of murder on 31 March 2010. He was sentenced to life imprisonment with a non-parole period of 29 years.
Having this predator behind bars is one thing, but we need to look at other ways we can protect young people like Carly so no child ever suffers the same fate. Carly's mother, Sonya, has set up the Carly Ryan Foundation to promote internet safety and support victims of cybercrime. Ms Ryan's bravery through her grief and her willingness to help others is incredible. We the people in this chamber also have the power to make a difference. We need to consider making it illegal for adults to misrepresent their age to minors online for the purpose of grooming and we need to support Ms Ryan in her push for more education in schools about cybersafety.
The bottom line is that we cannot underestimate the seriousness of cybercrime, and that is why, with some amendments, I broadly support this bill. We need to ensure that this bill is consistent with the Council of Europe Convention on Cybercrime so that we can become a signatory to the international treaty. That is the basis of this bill. I note the recommendations made by the Joint Select Committee on Cyber Safety, which was chaired by Senator Catryna Bilyk. The committee made a number of sound recommendations which balance the importance of being compliant with the Council of Europe Convention on Cybercrime with the need to maintain our own safeguards on privacy here in Australia.
I am also broadly supportive of the Greens amendments which seek to tighten the legislation in terms of Australia's privacy interests. Online is a new frontier not just in terms of the way we communicate and the way we go about our day-to-day business but also, sadly, in terms of crime. We need to make sure that it is appropriately policed and I think a legitimate concern that needs to be raised in the committee stage is: how will this bill be enforced and how difficult will it be to launch a successful prosecution in matters such as this?
Amending legislation to ensure we comply with the Council of Europe Convention on Cybercrime is just one important step in ensuring we are doing all we can to fight cybercrime. As always, the devil is in the detail, and that is why I think the committee stage of this bill is very important to ensure that this bill will do what it is intended to do and do it in a way that is effective. That is why I was disappointed when the parliament took the view not to support the bill I introduced some time ago, inspired by Sonya Ryan's work in relation to her late daughter Carly Ryan, that it should be made an offence to misrepresent your age to a minor. On the face of it that should be prima facie an offence. It does not have to carry a severe penalty in itself, but it needs to be an offence that will make a difference, because at the moment you need to show an intent or a prurient purpose if you misrepresent your age to a minor. But you need to ask the question: why would an adult misrepresent their age to a 14-year-old? Unless there is a good excuse, that in itself ought to be an offence. That is something that I am concerned about that this bill does not deal with. But I note that there does not appear to be the political will to deal with this particular aspect of it. Notwithstanding that, this bill at least is making some genuine attempt to deal with this very serious issue and I hope that, with amendments, this bill will be strengthened and ultimately be effective in dealing with cybercrime.
Australians and human beings are exchanging more and more information online and that, of course, leads to a greater prevalence of cybercrime. It is a threat to all internet users from businesses to home users, meaning anyone can fall victim to invasion of privacy, theft and deception via the World Wide Web. As a father of two young children, I am one who wishes my kids to grow up having the opportunity to learn from and utilise the internet but I also want to know that when they are doing that they are safe and protected from criminal elements who may seek to prey on vulnerable people. So it is critical that the international community work together to combat this threat.
The facts about cybercrime speak for themselves. In the last six months alone, Australia's computer emergency response team has alerted Australian businesses to more than a quarter of a million pieces of stolen information such as passwords and login details. Cybercrime has already overtaken the drug trade worldwide as the most profitable form of all crimes, and this is simply because of the opportunities that cybercriminals have to steal money, identities and information from unsuspecting victims because there are so many people nowadays using the internet. I quote Nigel Phair, a specialist in cybercrime who worked for more than four years at the Australian High Tech Crime Centre:
With the phenomenal growth of the Internet, cyber crimes have become a matter of national interest … The rapid development of the Internet, with global computer-based commerce and communications that cut across traditional territorial and state boundaries, continue to create a new realm of criminal activities among the cyberspace social, economic and political groupings.
Mr Phair is right about this point. We all have a cause for concern. In 2011 a three-year investigation, known as Operation Rescue, exposed the frightening scale of the challenge before us in the fight against paedophilia and organised crime online. Seven international jurisdictions joined together to act, including Holland, Chile, France, the United States, New Zealand and Australia. That investigation led to the arrest of nearly 200 suspected paedophiles and, thankfully, 230 children were rescued in the process. With figures like that, this parliament and we as a nation must act on cybercrime. The first step is the ascension into the Council of Europe Convention on Cybercrime. To do this amendments must be made, through the Cybercrime Legislation Amendment Bill 2011, to the Telecommunications (Interception and Access) Act, the Mutual Assistance in Criminal Matters Act, the Criminal Code Act and the Telecommunications Act.
The convention serves us as a guide for nations developing a comprehensive national legislation on cybercrime and the convention is the first international treaty on crimes committed via the internet and other computing networks dealing particularly with computer related fraud, child pornography and violations of network security. It criminalises certain types of conduct committed via computer networks and contains a series of powers and procedures such as the search of computer networks and interception. The convention provides systems to facilitate international cooperation between signatory countries, as well as establishing procedures to make investigations more efficient by empowering authorities to request the preservation of specific communications with access subject to a warrant in Australia, helping authorities from one country to collect data in another country, establishing a 24-hour network to provide immediate help to investigators, and facilitating the exchange of information between countries. To date over 40 nations have either signed or become a party to the convention, including the United States, the United Kingdom, Canada, Japan and South Africa. Over 100 nations are also using the convention as the basis in their jurisdictions to strengthen their legislation and combat cybercrime.
On 1 March this year the tabling of the national interest analysis by the Minister for Foreign Affairs saw the referral of the question of ratification to the Parliamentary Joint Standing Committee on Treaties. As I explained earlier, the best example of why international cooperation can work and has worked was Operation Rescue, with the result, as the Guardian reported in the UK on Wednesday, 16 March 2011, that 60 children had been removed from immediate danger and that police around the world had worked together to shut down what was believed to be the biggest online paedophile ring in the world.
All of the world's online viruses come from overseas. This makes international cooperation all the more important. Recently Kaspersky Lab, an internet security and anti-virus maker, released a report into viruses and malicious software for the first quarter of 2011. It stated that almost 90 per cent of web sources spreading malicious programs were in 10 countries with United States, Russia, the Netherlands and China the main countries of origin.
The Australian government has already taken significant steps to redress cybercrime and related risk. These include establishing a new national computer emergency response team to improve cooperation with the private sector on cybersecurity issues; establishing a cyberpolicy coordinator within the Department of the Prime Minister and Cabinet; working with state and territory governments to ensure a nationally coordinated response to cybercrime including consideration of a national online reporting portal; partnering with industry, community and consumer groups to undertake a year round cybersecurity awareness raising initiative; and working with the Internet Industry Association to develop a voluntary internet service provider code. This ISP code provides a consistent approach for ISPs to help inform, educate and protect their customers in relation to cybersecurity issues.
The government welcomed the findings of the Joint Standing Committee on Treaties supporting Australia's ascension to the Europe Convention on Cybercrime. The Cybercrime Legislation Amendment Bill 2011 will strengthen cybersecurity laws and enhance Australia's ability to combat international cybercrime. These amendments will ensure that Australian legislation is consistent with international best practice and that Australia is in the best position to address the range of cyberthreats that confront us, both domestically and internationally. I wholeheartedly support the changes contained in this bill. They are a necessary improvement to our defence against the global threat of cybercrime. The changes increase our capacity to fight against this threat on the international stage and augment the armoury of our security and law enforcement agencies to combat these threats at home.
The changes in the bill come about as a result of an extensive inquiry that was conducted by Senate Environment and Communications Committee. I congratulate Senator Bilyk, who chaired that committee, and members of the committee for the thorough investigation that they undertook into the adequacy of laws to deal with cybercrime in our nation. They played a big role in this legislation coming before the parliament.
This approach that the government has taken in respect of the ever-increasing threat of cybercrime gives me, with two young daughters—and all other parents throughout the country—greater protection from the worst elements of cybercrime and provides greater comfort for parents regarding the use of the internet by their children. The approach gives me added confidence that, when we turn on the computer at home, my kids, like so many other children across the country, can be safe from the sorts of attacks that we all hope will never happen to loved ones and that were pointed out by Senator Xenophon. I am pleased to support this bill.
I would like to thank those senators that contributed to the debate on the Cybercrime Legislation Amendment Bill 2011. Senator Brandis asked about the government's response to the report of the Joint Select Committee on Cybersafety and the committee's recommendation 13 about industry costs. The government intends to respond to the committee's report before the Senate today. Regarding recommendation 13, the Attorney-General's Department has been in ongoing discussions with industry who will, as I understand it, support the amendments.
Senator Ludlam did ask a few questions in his contribution that I am happy to address through the second reading debate. This will not diminish the opportunity for the senator to raise questions during the committee stage. The senator spoke at some length about why this bill is being debated in the parliament before the Parliamentary Joint Committee on Intelligence Security concludes its report into potential reforms of Australia's national security legislation. As the senator understands, Australia's intention is to accede to the cybercrime convention. It was announced long before the inquiry even commenced. Three inquiries have now been held relating to Australia's accession to the cybercrime convention and all have supported that accession. The focus of this bill is on international cooperation between our law enforcement agencies, whereas the focus of the inquiry by the PJCIS is on domestic capabilities, including data retention, telecommunications sector security reform and ASIO's capabilities. On the topic of data retention, the senator continues to refer to the data retention proposal, which is not included in this bill. This bill allows for preservation of targeted communication to ensure that information relevant to a specific investigation is not lost as a consequence of normal deletion purposes. Those communications can only ever be accessed under a warrant.
Senator Ludlam questioned whether the bill changed the bar for interception warrants from an offence punishable by seven years to an offence punishable by three years, and it does not. The bill does not relate to interception; it is about stored communication and telecommunications data. Finally to the issue of costs, which Senator Ludlam referred to as 'a great big new tax on telecommunications': the fact is that the cost is borne by law enforcement agencies under cost recovery arrangements with telecommunications providers. It is not borne by the user.
As I understand it, Senator Mason commented on the potential privacy impacts of this bill. Importantly, the cybercrime convention includes explicit protections of human rights which will bind Australia after accession. Further, the bill adopts the privacy protections that exist in current legislation.
The government does share Senator Xenophon's concerns about the safety of children online. The Carly Ryan case is truly tragic. While this bill is not the right vehicle for the senator's proposals, it will assist police in Australia and internationally to investigate these heinous crimes. I note that additional matters have been raised in relation to this bill in committee hearings. Many of the obligations in the Council of Europe Convention on Cybercrime are already provided for in Australian law. The bill amends several acts to ensure that Australia fully complies with the convention. Cybercrime has already overtaken the drug trade as the most profitable form of crime in the world. With Australian families, businesses and government conducting more and more activities online, it is necessary that Australia take further action against cybercrime to protect Australians. The cybercrime convention is the only binding international treaty on cybercrime, setting out the procedures that support cooperation amongst its signatories. By acceding to the convention, Australian law enforcement agencies will be able to access and share information necessary to support local and international cybercrime investigations. This will mark a significant step forward in our efforts to address the growing threat to the Australian community posed by cybercrime and the need to protect the community from internet abuses.
For cybercriminals, our accession to the convention will mean that there are fewer places to hide. The bill has been considered by the Joint Select Committee on Cyber-Safety, which reported to parliament on 18 August 2011. I would like to take this opportunity of thanking committee members for their detailed work on this bill. The government, in its response to the committee's report, has closely considered the committee's recommendations. As the bill builds upon existing laws about telecommunications, privacy and cooperation with foreign countries, many of the issues raised in the committee's report have already been addressed. Other areas where the bill can be strengthened will be addressed through the government's amendments that will be moved during the committee stage of the bill.
The government agrees with the committee’s first recommendation—that the threshold for the issue of a stored communications warrant for both foreign and domestic offences should be the same. As the bill already requires that the threshold for both foreign and domestic offences be three years imprisonment or 900 penalty units, no amendment is needed.
Recommendation 2 requires the Attorney-General to investigate whether the proposed new Part IIIA of the Mutual Assistance in Criminal Matters Act 1987 prevents stored communications warrants being available to foreign countries for investigations into child sexual exploitation. The Attorney-General’s Department has not identified any child exploitation offences with a penalty of less than three years imprisonment, meaning no amendments are needed to address this recommendation.
Recommendation 3 is that the Mutual Assistance in Criminal Matters Act be changed to allow Australia to reject a foreign country’s request for information if that country’s laws about protecting personal information are not substantially similar to Australia’s laws. As the bill retains all of the existing privacy protections in relation to accessing information at the request of a foreign country, no amendment is needed. Where new access procedures are provided, they include their own additional protections.
The government agrees with recommendation 4—that requirements to assess privacy impacts should be clearer and more accessible. The government will move amendments to provide detailed guidance to authorised officers about the particulars of weighing and balancing privacy impacts to ensure that privacy considerations are taken into account for every disclosure of telecommunications data.
Recommendation 5 requires that the bill be amended to ensure that, in determining whether a disclosure of telecommunications data to a foreign country is appropriate in all the circumstances, the authorising officer must give consideration to the grounds for refusal under the Mutual Assistance in Criminal Matters Act. The government accepts this recommendation in principle, but notes that the bill in fact only allows disclosure of historical telecommunications data on a police-to-police basis. Disclosure of stored communications or prospective telecommunications data can only occur in response to a mutual assistance request. This means the provision of historical telecommunications data will be subject to the protections in the bill as well as the AFP’s national guidelines on the disclosure of information. The government believes that this strikes the right balance in providing adequate protection while ensuring that procedures are flexible and responsive.
The government agrees with the committee’s concerns in recommendation 6 that sufficient protection must apply in cases where providing documents or information could relate to a case that may attract the death penalty. The AFP’s existing guidelines address this issue, detailing an accountable process that must be followed when the AFP is considering authorising the provision of police-to-police assistance to foreign countries. In circumstances where a person has been arrested, detained or charged with or convicted of an offence for which the death penalty may be imposed in a foreign country, only the Attorney-General or the Minister for Home Affairs and Minister for Justice may approve the exchange of information on a police-to-police basis. The guidelines also expressly require senior AFP management to consider prescribed factors before providing assistance in any matters which raise death penalty implications.
The committee’s seventh recommendation is that the bill be amended to elaborate the conditions of disclosure of historical and existing telecommunications data to foreign countries, including in relation to retention and destruction of the information and an express prohibition on any secondary use by the foreign country. The government accepts the committee’s recommendation. The bill currently requires that telecommunications data be provided to foreign countries on the condition that the information is only used for the purpose for which it was requested and that documents are destroyed when no longer required for those purposes. The AFP has memoranda of understanding with various foreign law enforcement agencies regarding compliance with caveats placed on disclosed information. However, due to the nature of international relations, Australia cannot criminalise or audit how foreign countries deal with information.
Recommendation 8 is that the Attorney-General investigate the desirability and practicality of a legislative requirement for data subjects to be advised that their communications have been subject to an intercept, stored communications warrant, or telecommunications data disclosure under the Telecommunications (Interception) Act once that advice can be given without prejudice to an investigation. The government notes this recommendation. In May the government referred a package of possible national security reforms to the Parliamentary Joint Committee on Intelligence and Security. The inquiry, which is open to the public, is considering many aspects of the interception regime, including the relevance of the regime’s privacy parameters in the contemporary communications environment.
The committee’s ninth recommendation is that the bill be amended to provide that the Australian Federal Police report to the minister on: (1) the number of authorisations for disclosure of telecommunications data to a foreign country; (2) the specific foreign countries that have received data; (3) the number of disclosures made to each of the identified countries; and (4) any evidence that disclosed data has been passed on to a third party or parties.
The government has closely considered this recommendation and agrees that there is merit in strengthening the reporting requirements. Accordingly, the proposed government amendments will require the head of the AFP to give the minister an annual report that includes the number of disclosures made to each country. Recommendation 10 is that the Attorney-General consult initially with the telecommunications industry and, then, with relevant ministers, statutory bodies, and public interest groups to clarify and agree on the data handling and protection obligations of carriers and carriage service providers.
The government accepts this recommendation in part. Secure management and storage of information is a key component of ensuring that information collected under the interception act is of an evidential standard. The Attorney-General, her department and agencies are in constant dialogue with carriers about maintaining these standards. It should be noted that the carriers who will be served requests to preserve information are all bound by the provisions of the Privacy Act 1998. The public and interest groups will have an opportunity to contribute to the PJCIS inquiry. The terms of reference referred to the PJCIS include the role of the communications industry in relation to both the interception regime and national security more generally.
Recommendation 11 is that the bill be amended to require carriers and carriage service providers to destroy preserved and stored communications and telecommunications data or a record of that information when that information or record is no longer required for a purpose under the interception act, unless it is required for another legitimate business purpose. The government agrees with this recommendation but notes that the Privacy Act already requires private sector organisations to delete information they have collected in the course of their business once that purpose no longer applies.
Recommendation 12 is that the exemption of small internet service providers from the Privacy Act as small businesses be reviewed by the Attorney-General with a view to removing the exemption. The government notes the committee’s concerns about this issue, and notes that it is relevant to the Australian Law Reform Commission’s recommendation in its 2008 report on privacy that the general small business exemption in the Privacy Act be removed. The government will, therefore, consider the committee’s recommendation as part of the response to the ALRC’s recommendation. That will occur in due course after the current reforms in the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 have been progressed.
The committee’s final recommendation is that the Attorney-General’s Department consult widely with carriers and carriage service providers to ensure that the bill, when enacted, can be implemented in a timely and efficient manner. The government consults with industry on a regular basis and recognises the importance of ongoing consultation with carriers regarding legislative obligations under the interception act. Carriers currently assist agencies by preserving stored communications pursuant to general obligations in the Telecommunications Act. This bill makes the current arrangements explicit in order to facilitate accession to the cybercrime convention. The government recognises that, from time to time, new technologies will emerge that may impact on compliance. Where that occurs, agencies will work with industry, as they have in the past, to transition in an orderly, cost-effective and constructive way. To further facilitate implementation, the government will move government amendments to the bill to delay the commencement of the provisions requiring compliance with ongoing preservation notices from 28 days after royal assent to 90 days after royal assent.
The bill as introduced, amends the Telecommunications Act, the Mutual Assistance in Criminal Matters Act and the Criminal Code to provide for Australia’s accession to the cybercrime convention. An important feature of the bill is the preservation of stored communications. Carriers’ business practices often mean that communications are deleted before agencies have the opportunity to exercise a warrant to access stored communications. Whilst carriers have voluntarily provided assistance in the past, the bill amends the interception act so that an agency can formally require a carrier to preserve stored communications by reference to an individual or telecommunications service.
This approach will mean that computer data, SMS messages, emails and other communications stored by the carrier will be available while ensuring the interception act remains technologically neutral. Importantly, access to these communications will continue to be by way of a warrant.
The bill will rely on Australia’s existing mutual assistance frameworks to enable the improved exchange of stored communications and non-content data to assist in the investigation of certain foreign offences. The grounds for refusal in the mutual assistance act, including dual criminality and a ground to refuse assistance where the request relates to a political offence, will apply to requests for access to stored communications and requests for access to prospective telecommunications data.
While not including new offences in the Criminal Code, the bill expands the scope of the Criminal Code so that it can deal with criminal conduct outside of its existing limitations. The Criminal Code already contains savings provisions that have effectively ensured the continuing operation of state laws in a number of areas.
As recent police investigations have taught us, the need for international cooperation is essential in the investigation of cybercrime, particularly child exploitation offences and online fraud. The amendments contained in this bill will ensure Australia’s full compliance with the cybercrime convention and support our effort to counter cybercrime. I commend the bill to the Senate.
At the end of the motion, add:
but the Senate calls on the Government to initiate a review of the Criminal Code Act 1995 to examine the strengthening of the offences in that Act to ensure that they adequately deal with the issue of misrepresentation of age to minors without reasonable excuse and to investigate the establishment of a type of register to record the names and details of those persons who do misrepresent their age to minors without reasonable excuse.