Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Standing Committee on Infrastructure and Communications - 29/10/2014 - Infrastructure planning and procurement

BUETTEL, Mr Rohan, Assistant Secretary, Consumer Protection Branch, Consumer and Content Division, Department of Communications

ROBINSON, Mr Ian, Deputy Secretary, Infrastructure Group, Department of Communications

Committee met at 08:11

CHAIR ( Mrs Prentice ): I declare open the committee's first public hearing for the inquiry into the use of subsection 313(3) of the Telecommunications Act 1997 by government agencies to disrupt the operation of illegal online services. Today's public hearing will provide the committee with an opportunity to hear from the Australian government Department of Communications and the Australian Federal Police as part of its evidence for the inquiry. I welcome the witnesses from the Department of Communications. Although the committee does not require you to give evidence under oath, I should advise you that this hearing is a legal proceeding of the parliament and therefore has the same standing as proceedings of the House. I invite you to make a brief opening statement if you wish, before we proceed to discussion.

Mr Robinson : Thank you for your invitation to appear here today before the committee. We welcome the opportunity to talk about our submission. Just briefly, I would like to begin by referring to the key points of the department's submission. In our submission, we made recommendations about the development of whole-of-government principles to guide Australian government agency use of section 313 to disrupt access to illegal online services, about strengthening transparency and accountability around how the provisions are applied, and about improving public awareness and perception about the use of section 313. That is my introduction. We could go through the submission in more detail if you would like us to, or we could answer questions.

CHAIR: Given the time frame, we might go straight to questions, if that is okay. We have got quite a few members here. You note the operation of VPNs, virtual private networks, in the submission. You didn't?

Mr Buettel : I do not think we specifically addressed virtual private networks in the submission.

Mr Robinson : No, I do not believe we did.

CHAIR: Okay. Well, that was not the question. I was going to ask you what you estimate to be the percentage of Australian internet users who are on a private network.

Mr Robinson : I do not know, but I am happy to take that on notice—

CHAIR: Take that on notice? Okay.

Mr Robinson : and I think the department will be able to answer that question. But we will come back to you.

CHAIR: Excellent. Nola.

Ms MARINO: Part of our inquiry is about how government agencies apply this section. You are talking about whole of government. What are you anticipating that this looks like, from your perspective?

Mr Robinson : Subject to the recommendations of this review and then government consideration, I think our proposal is that there be guidelines put in place that would apply across the Commonwealth and that those principles would apply to all the relevant agencies who might seek to use the relevant parts of the act. They would require them, amongst other things, to have in place clear decision-making processes internally as to how they use section 313(3)—arrangements for using stop pages et cetera where that is okay. But, then again, if it is not suitable in the case of some law enforcement issues, that would not apply. There would be arrangements for transparency abuse so that, if agencies are using the provisions, they indicate where they have done so.

Some of the issues that have arisen have been to some extent about the transparency of what was taking place, and there was, as I understand it, one particular example of use of these provisions where essentially an error was made and it took a while for it to be corrected partly because there was not transparency as to what had happened and why it had happened. So our arrangements, to a large extent, focus on making sure that in most cases that is in place and there are good guidelines and rules around it.

Mr VAN MANEN: If I could just follow on from that, where do you think the deficiency is in the current guidelines or interpretation of that particular provision?

Mr Robinson : From our perspective, we think a better model would be to have whole-of-government guidelines. I am not sure there are any at present, so each agency is taking its own approach. We are proposing that there be clear guidelines; that particular agencies essentially produce information about how they are using the section, how they are applying it; and that they have clear internal policies as to who is authorised to make these decisions and therefore make sure accountability is at the right level in particular organisations—that they get the authority from senior people to do so. We are proposing that the blocking of sites et cetera is at a threshold level that is significant enough and, as I mentioned before, that there is transparency about what they are doing and why they are doing it. In a lot of cases and in the case of some law enforcement activities, there would also be provisions for that not to occur if that is going to compromise law enforcement actions.

Mr VAN MANEN: What is the current threshold limit for sites to be blocked by agencies? Can you give the committee an example of the policies of a couple of different agencies where they may be at odds with each other to show why these guidelines would be required to be consistent across the agencies?

Mr Buettel : Section 313 can be used to give officers and authorities of the Commonwealth and the states and territories such help as is reasonably necessary to enforce the criminal law and laws imposing pecuniary penalties, assist in the enforcement of criminal laws enforced in foreign countries, protect public revenue and safeguard national security. There are no guidelines applying across the Commonwealth at the moment as to when these powers are used. Up until this point, as far as we are aware, there have only been three agencies that have made use of it. The Australian Securities and Investment Commission was using it to block fraudulent websites, and there is some detail in their submission as to how they were going about that. Essentially, where they were discovering these websites that were involved in frauds seeking to defraud Australian consumers, they were taking action to block those. The Federal Police are probably the largest users of the provision, and most of their use is around child sexual exploitation material.

CHAIR: People buying drugs? Narcotics?

Mr Buettel : The Federal Police are the next set of witnesses, so it would probably be useful for you to discuss their use with them. Different agencies will use the provision in different ways. For example, ASIC have a strong interest in there being a lot of public awareness about these fraudulent websites. When they take action, in many cases they are likely to issue media releases and they are quite comfortable about the idea of putting out stop notices, so potential consumers who seek to access the site are actually told: 'This is a scam site and this is why access is not being provided.' For them, there is a strong interest in transparency around what they are doing. For the Federal Police, it may well depend upon the particular matter that they are dealing with. In some cases, it may be appropriate to make that information known. In some cases, they may be taking action as part of an ongoing investigation and it may be sensible not to put up stop notices. It is probably best if you raise that question with the Federal Police when they appear.

CHAIR: You referred to ASIC. They accidentally blocked 250,000 sites, and then Minister Conroy asked for an investigation into that. How is that going? Have we got a result for that investigation?

Mr Buettel : Following the events that occurred last year with the accidental blocking of the website, or the accidental blocking of all the additional websites—

CHAIR: Two hundred and fifty thousand.

Mr Buettel : the minister at the time asked the department to look into the matter. The department convened a meeting across a broad range of Commonwealth agencies and following that meeting the department worked on developing a possible consultation paper for public consultation. Following the election and the change of government, the department raised the issue with the new government. One of the ways to proceed was to continue with that departmental public discussion process, but the view was taken that, given the issues around transparency and accountability, the best way to proceed was to actually have a parliamentary committee look at it rather than a departmental driven discussion paper. Essentially, this process is now taking place following on from that.

CHAIR: It was part of the terms of reference, though.

Mr Buettel : In developing our submission to the committee, we have basically worked on the proposals that we were developing as a result of the consultation paper, and they are reflected in our submission to the committee.

CHAIR: Has anyone identified, number one, what went wrong that an extra 250,000 sites were blocked?

Mr Buettel : Yes. I would just ask the question whether ASIC will be appearing before the committee.

Unidentified speaker: They will be now!

Mr Buettel : They are probably best placed to explain.

Mr Robinson : As I understand it, Chair, ASIC are probably the best to explain. I do not think there is any doubt from our perspective as to the background of that, but they are probably the best to explain. A short summary of that is, I think, ASIC acknowledged they made an error in applying it.

CHAIR: The ongoing question is, what do they need to do to make it not happen again, and have those steps been put in place?

Mr Robinson : Yes. The work that was done last year by the department after that, as Mr Buettel said, we essentially have presented as our submission.

CHAIR: So your view on how to prevent that situation happening again is part of your submission?

Mr Robinson : Yes.

Ms ROWLAND: Could I just ask a couple of questions about the operation of 313(3). The requirement to give, firstly, help, and, secondly, as reasonably necessary, and subsection (d), protecting the public revenue. Can I just get your interpretation on the scope of some of those provisions—such as, what constitutes help and how do you judge the reasonable necessity. When we are talking about protecting public revenue, what specifically is that going to?

Mr Buettel : Insofar as the provision refers to such help as is reasonably necessary, that would just be interpreted on the plain meaning of the language in the provision. In practice, what tends to happen is that a government agency will seek help from a telecommunications carrier or a carriage service provider under section 313. Unless the service provider had concerns about the nature of the request, normally they would be expected to give such help as is reasonably necessary. There are provisions in the act which then go on to provide a means for the service providers to recover their costs for that assistance, and there are mechanisms for an arbitration if agreement cannot be reached on how those costs are recovered. I understand, in practice, this has always been done by agreement and there has never been a need to resort to formal arbitration in relation to the operation of the provisions. Protecting the public revenue: the obvious example of that would be the tax laws, but as far as I am aware it has never been used for that purpose.

Ms ROWLAND: This provision is always accompanied by—or is it supposed to be always accompanied by—a warrant to obtain this information?

Mr Buettel : Not in relation to the blocking of the illegal online activities. There is no warrant requirement in those circumstances.

Ms ROWLAND: If this provision is relied on for the blocking of sites, how have carriers responded to those requests? Is that documented somewhere—for example, how many requests are made under this provision specifically for blocking?

Mr Buettel : I think that is one of the problems with the current regime, that there is not any public reporting of the number of requests. I do actually have some figures. During 2011-12 and 2012-13, Australian government agencies made 32 requests under section 313 to disrupt access to illegal online services: the Federal Police made 21 request to disrupt access to domains on the Interpol 'worst of' list of child exploitation material; the Australian Securities and Investments Commission made 10 requests to disrupt access to websites that were engaged in financial fraud; and there was one other request from an agency in the Attorney-General's portfolio to disrupt access to services on counter-terrorism grounds. So over two years, as far as we are aware, there were only 32 requests. But I think there is an acceptance that there is a problem that there is no public reporting of the number of requests. So, one of the things the department proposes in its submission is that the Commonwealth guidelines would require agencies that do make such requests to report to the Australian Communications and Media Authority and that it would include in its annual report the number of requests that have been made in the previous 12 months, which would then be tabled in parliament.

Ms ROWLAND: That would bring it in line with some of the other requirements for where there is interception and access, that you keep records of that as well?

Mr Buettel : Yes.

Ms ROWLAND: Do the carriers need to keep records of when they disclose them? I know that currently, under interception access warrants, they need to keep records. But do they need to keep records for this, and would you recommend they do also need to keep records?

Mr Buettel : I think it would be sensible for them to do so, but the requirement would actually be placed on the requesting agencies. They would have the administrative burden of keeping the records and informing the ACMA, and the ACMA would do the combined report to parliament.

Ms ROWLAND: But currently telcos, when they disclose under warrant, need to keep a record themselves of the disclosures they made. Wouldn't it be prudent to also bring that requirement in line with those provisions, if you are going to introduce it here?

Mr Buettel : The volume of requests is much lower in the case of these kinds of issues. I do not think there is any need for the carriers or the service providers to keep records because government will have a record of what has been done and will be making it public.

Mr VAN MANEN: Just to follow on from Michelle's question: wouldn't it be a good crosscheck to make sure that if the carriers are reporting—it becomes a crosscheck to ensure that government agencies—

Ms ROWLAND: You right; it is important to verify. These are the entities that are making the disclosures. I actually think it is in the public interest where a carrier is undertaking such actions that they also make a disclosure that they have done that. I agree with you.

Mr THISTLETHWAITE: Can you just outline the process of how the system works in practice. Is it the case that if the AFP discover there is illegal activity going on on a particular website that they make the request to the carrier to block it, or does it come through the department? Which body makes the request?

Mr Buettel : The AFP makes the request directly to the carrier.

Mr THISTLETHWAITE: Okay. I suppose we can ask the AFP about that in a moment. Is there a legal department within your department that would be consulted if there was a question mark about whether or not to do this?

Mr Buettel : No issues have been raised with the department in advance. For the agencies that do this, we would suggest that they be required to comply with a set of guidelines and that they actually develop their own internal guidelines that would set out how they undertake these activities. Those guidelines would cover things like the level of authority for sign-off of any such request and the technical aspects to ensure that a situation similar to the one that happened last year does not happen again.

Mr THISTLETHWAITE: In the ASIC case, was it ASIC that made the request or was it the AFP?

Mr Buettel : It was ASIC in that case.

Mr THISTLETHWAITE: The AFP was not involved in that at all?

Mr Buettel : Not as far as I am aware.

Mr THISTLETHWAITE: Does this mean that any government body can make this request to the carrier?

Mr Buettel : Yes.

Mr THISTLETHWAITE: What legal check would they go through to make sure that the request is not frivolous?

Mr Buettel : It is a very big thing to actually block a website on the internet. I do not think, in practice, any government agency would go ahead and do it without giving some detailed consideration to the particular matter and properly investigating it.

Mr Robinson : If your question goes to whether we should have, for example, a central point for some of these requests, that is not our view. There is a relatively low number of requests and fundamentally we think the issue is about explanation and transparency about those, and provided that is put in place then that is a good first step—just improving arrangements. We suggest as part of our proposal that some of the reporting arrangements would be through the ACMA, which is within our portfolio and does similar reporting on behalf of the telecommunications sector. But I am sure we would not say that there needs to be a central point that ticks off these requests—especially given there are relatively few and, in fact, most of them are one agency, which is a law enforcement agency who is best placed to make those decisions.

Mr THISTLETHWAITE: Are these decisions reviewable by the AAT or another body like that?

Mr Buettel : There is no merits review process. Action could potentially be taken under general administrative law requirements if the carrier were particularly concerned, or a particular issue could be raised with the Commonwealth Ombudsman as well.

Mr Robinson : In our submission we outline that one of the elements is, in fact, review and appeal arrangements, and I think our submission suggests that the first process for that would best be between the agency that has done it and the entity that has had that site blocked, but it then does mention that there are some legal options for them including—as Rohan said—the Ombudsman or possibly the administrative appeals arrangements.

Mr PITT: I just want to confirm that your evidence is that there have only been 32 requests in two years to block websites. Is that what you said?

Mr Buettel : As far as the department is aware, yes, during the period 2011 to 2014.

Mr PITT: So, of the millions of websites that are available, we have only blocked 32?

Mr Buettel : Correct.

Mr PITT: It appears to me that, if I were intending to do something untoward, I could upload my material to another site within an hour, adjust my SEO and SEM through Google, and be operational within a couple of hours. Is there a repetitive request for the same content for the same providers—is that how it works inside this magical number of 32, or we do not know?

Mr Buettel : That is probably a question better addressed to the Federal Police. They are next.

CHAIR: Gentlemen, sorry to rush you, but we are on time constraints. Thank you very much for coming today. Although we need to move on, it would be helpful if you could provide the secretariat with any additional material that you have undertaken to provide—that VPN information and also your views on how VPNs circumvent the issue, and perhaps looking at the American example. You will get a copy of the draft transcript and you are welcome to request changes in errors of transcription.