Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Standing Committee on Infrastructure and Communications - 06/03/2015 - Section 313 of the Telecommunications Act 1997

NICHOLLS, Dr Robert John (Rob), Private capacity

[13:28]

CHAIR: I welcome Dr Robert Nicholls to provide evidence today. Although the committee does not require you to give evidence under oath, I should advise you that this hearing is a legal proceeding of the parliament and therefore has the same standing as proceedings of the House. I would like to start by thanking you very much for helping us with those more technical questions earlier today. I now invite you to make a brief opening statement if you wish before we proceed to discussion.

Dr Nicholls : I only want to make a short opening statement in order to provide a reasonable amount of time for any questions. Although I am appearing in my personal capacity, I am a research fellow at Swinburne University and at the Centre for International Finance and Regulation. I am also the Independent Telecommunications Adjudicator, and I resolve disputes between Telstra and its wholesale customers under Telstra's Structural Separation Undertaking.

CHAIR: Does it keep you busy?

Dr Nicholls : Yes, although perhaps not as busy as you might think. I am also a visiting fellow at the Centre for Law, Markets and Regulations at UNSW Australia Law. I am originally an engineer, and I have spent the last 30 years working in telecommunications, with the last 20 years focusing on the intersection of technology, law and regulation. I was a non-lawyer partner and consultant at Gilbert + Tobin, and in that role I advised a range of carriers and carriage service providers on section 313 obligations. I also interacted with law enforcement agencies on behalf of a number of those carriers and carriage service providers. Because there are similarities in the way that the legislation works with other regimes, I have provided advice in other jurisdictions with similar regimes and in a couple of months time I am going to a conference in Oman, where I am speaking about that specific problem with a group of international experts to help the regulator in Oman frame its reasonable assistance or interaction between carriers and law enforcement agencies regime.

For disclosure, the member for Greenway was one of my colleagues when I provided a lot of those advices. I have also worked for the ACCC and another law firm, and dealt with section 313 matters in those roles.

I think it would be useful if I addressed a couple of technical issues in advance of any questions. I understand the rationale behind the need for law enforcement agencies to disrupt access to certain web-based content. There are a number of ways to do this, as I mentioned, and making a reasonable assistance request of a carrier or carriage service provider is only one of those options. I think one of the issues that would be of interest to the committee in considering which agencies should have this disruption power is based on technology, so I am afraid I am going to go back to basics. When you type a web address into a browser, this web address is called the uniform resource locator, or URL, as the previous witness mentioned. If you google something and you click through one of the answers to your google queries, then it is just the same as typing the URL into your web browser. It will return the equivalent of if you typed it in. It does not matter whether you are using a computer or using a tablet or using a mobile phone, the underlying technology is the same in all cases.

What you tend not to do while you are browsing the web is to type in the internet protocol address of the website. What happens is that your internet service provider sends the URL information to a domain name server, or DNS. This domain name server converts the word-based web address to a numerical internet protocol, or IP, address. Those packets of information you send to and from a normal website use the IP address of the website and your IP address to identify the to and from when you exchange data.

When I was preparing these comments I was at home and using a Bigpond account. My IP address was 121.211.111.236. As I was checking the terms of reference, the Australian Parliament House IP address was, and is today, 202.14.81.88. I can also tell you that the contact person for the Australian Parliament House website has their office in Senate suite 1.50. How do I know this? I just used a public tool, and the one that I used was ipinfo.info. I use the AFP here as an example, because I am going to contrast them with another agency when things went badly wrong, but when the AFP look to set up disruption they will almost certainly do some form of quick check like this. They may use different tools but, broadly, my experience is that the staff at the AFP understand how to find this information. They are technically literate and they make sure that they find this information. One of the things they are likely to do is that if you look at a website you could then type that IP address into the web browser. I checked this yesterday and, when I typed in the Australian Parliament House's IP address into a web browser, lo and behold I got aph.gov.au, which is exactly as one might expect.

But there is not always a one-to-one relationship between the URL and an IP address. As the previous witness suggested, there are two different things going on here. The one that causes the issue that was raised by ACCAN this morning, and was raised by the Internet Society of Australia, is that there is an option that is commonly used called shared IP posting. In this name-based virtual hosting, or shared IP hosting, the virtual host serves multiple host names with one machine and a single IP address. The reason that that works is, when a web browser requests a resource from a web server using hypertext transfer protocol—the HTTP of an address—it includes the host name as part of the request. The virtual server uses the information to determine which website to show to the user. It is important to note that this does not work with HTTPS, hypertext transfer protocol secure. When you have a little padlock somewhere in your web browser, that actually relies on there being a one-to-one mapping of IP address to URL.

If I look for the IP address of a site which is useful for people getting answers to technical questions called superuser.com, I find, using the same tool, that the answer is 190.93.244.58. However, if I put that IP address into my web browser, I get a page that says, 'Error 1003, direct IP access not allowed.' The particular page is helpful; it says, 'You have requested an IP address that is part of the CloudFlare network.'

I think that one of the problems that ASIC faced when it took down the many websites that we heard about before, was that the person at ASIC did not understand the issues. The carriers and carriage service providers gave reasonable assistance under section 313, and they dealt with the request on its face, in the same way that they would deal with a request from the AFP on its face, but with an expectation that the work done by the agency would be the same in both cases. It was not. My view is that, if the AFP had been seeking the disruption of access to the same material, their request might well have been in the form of a URL request, as the previous witness has suggested, and they might, for convenience, have said, 'And this is the IP address, but it is a virtual IP hosting address.' And they might have, in any case, gone after either the domain, or the web hosting provider in order to get the material taken down.

I would be very happy to answer any technical questions that you have. I would also be happy to give my views, as a personal opinion, on aspects of the terms of reference—specifically, which government agencies should be permitted to make requests; what level of authority; the characteristics of illegal or potentially illegal material; and an appropriate measure for implementing such measures. Thank you.

Ms ROWLAND: I am interested in cutting to the chase: how would you answer those terms of reference? Please use the whiteboard!

Dr Nicholls : I know the whiteboard is there. I will use it to answer technical questions. It seems to me that the logical way of dealing with disruption is to take into account that this is a significantly different form of assistance than usual assistance which is rendered by carriers and carriage service providers. It seems to me that the logic would be to think about it as if it was a matter which was comparable to the requests for prospective data under the Telecommunications Interception and Access Act. So the answer to 'Which government agencies?' is: law enforcement agencies. Does that preclude ASIC or the ACCC from providing disruption to material? Not in the most serious cases. If there is likely to be fraud going on, whether that is an ASIC or ACCC request, then the AFP can probably deal with that. On the other hand, if it is somebody who is engaging in misleading and deceptive conduct, the AFP is not going to be able to do that.

The TIA Act essentially says that for prospective data the level of authority is SES 2—first assistant secretary level or equivalent within the agency. It seems to me that even if that power is delegated within the agency, having somebody at a level where they might expect to be asked questions about the matter, either by a House committee or in Senate estimates, is not an unreasonable thing. Have the person senior enough. Provided you have certainty—and I will come in a moment to how you get to that certainty—I do not see that you necessarily need a warrant regime provided that, essentially, it is a senior officer's career that is on the line for a decision that the material access to which is going to be disrupted is serious enough that they are willing to sign an authorisation.

CHAIR: I think you are also saying that the AFP and ASIO probably already have the powers under different legislation for things like terrorism—or not?

Dr Nicholls : I am not clear that they do. They have powers under the Telecommunications Interception and Access Act to seek historical data—metadata. They have the power under section 175 for historical data and section 176 for prospective data—different rules depending on the data that is sought. If the AFP was after Dr Pender's historical telephone records, it does not need a senior officer to ask for those. If the access, instead, was able to locate Dr Pender, that would be a different issue which requires a different level. I am not saying that they have that power currently; I am just saying that it provides a nice analogy to how the power might be dealt with, so that you have a senior level of authority. In respect of a crime, I quite like that ACCAN proposal of a serious offence—something that gets two years or more in prison.

But I am not absolutely sure that I understand the position that was taken by ACCAN that we should have a new section 315A that talks about disruption of websites. My view is that, by the time that is drafted and implemented, it is likely to be technologically obsolete. What is much more important is to have the principle of what a disruption should be. Whether that needs to be a legislative or a regulatory solution I am not sure. What is important and what could be done relatively easily is to have, as the Department of Communications has suggested, some form of whole-of-government guideline or, even better, a code that deals with all carriers and carriage service providers, or, if it actually requires it, potentially even making it a service provider rule as part of your normal obligations as either a carrier or a carriage service provider.

I think part of the issue with why many ISPs do not seem particularly responsive to these types of issues is most likely technical, which is that, if you are going to do blocking, the logical place to block is on the border, because, if the material is domestic or hosted domestically, there are solutions for this. If it is internationally hosted material, an effective approach is to look at where the fibre optic interconnections to the various networks in Australia are. Only the major ISPs which have international capacity need to be addressed on this, because the balance can be done through the border gateway routing of each of the major providers. A small regional ISP, which would find it very difficult to deal with a section 313 request, is likely a wholesale customer of one of the much larger ISPs. A much more efficient approach for disruption is to deal with one of those larger ISPs or carriers.

CHAIR: Thank you. I interrupted you, sorry.

Ms ROWLAND: I think you were up to (c).

Dr Nicholls : So (c) is characteristics of serious crime—so a crime that would entail a jail sentence of two years or more. I think and hope that this addresses child abuse material very readily. But I think it would also potentially address material based on fraud and even potentially cartel conduct where that cartel conduct was likely to be serious enough to be a criminal offence. To be fair, most cartels would not use a website to advertise.

Ms ROWLAND: No; they would just have a big meeting!

CHAIR: So it would not really include things like the Nigerian loans scam or things like that?

Ms ROWLAND: I was about to say that too, or the current one that is going on with an email that features the Service NSW logo and tells you you have a parking fine, which a lot of people are opening and destroying their computers with.

Dr Nicholls : No, but I am not sure that website disruption would capture that either. You would need to actually look at dealing with emails which originate from a known—it is hard because technically this issue becomes very complex where you know where the origination is. In practice, scam emails such as the parking fine email or 'You have a tax rebate', which is also a recent one—

CHAIR: That is so unbelievable.

Dr Nicholls : And it is something very plausible—$124.57. It not very big.

Ms ROWLAND: It is the grammar and punctuation that gets me every time!

CHAIR: I think the concept that the tax office would ring you to tell you that they had extra money is hard to believe.

Dr Nicholls : But it is much more problematic to disrupt that type of behaviour. Whereas disruption of access to websites is, at first blush, technically reasonably feasible—yes, there are workaround measures—disrupting flows of emails becomes more complex because it is harder to trace where that email has come from. So it may appear to have come from somewhere perfectly legitimate.

CHAIR: Earlier we were discussing a website where you go to find a partner. You can scan through it and find someone and start a conversation with them, and they have been found to be just part of the temptation of catching poor, vulnerable people who then spend a fortune sending money to bring people out or to give lifesaving operations. That would be a website where you would go through the website.

Dr Nicholls : Yes. That potentially looks like fraud. It looks like an area which has been targeted under the consumer law by the ACCC. Sadly, dating sites generally have the potential for being fraudulent. The ones which are bona fide are the ones that will be first to be keen to see the disruption of access to fraudulent websites. But there the potential is that the fraud would be a serious criminal offence. So there the issue is: it is not a consumer protection matter but it is fraud and it is an AFP matter, or it is potentially a state-based offence but a criminal offence and therefore one of the existing law enforcement agencies would be an appropriate body to issue the disruption notice and a senior officer in that body would be the person who authorises that.

CHAIR: Thank you. Are you keeping us on track, Michelle?

Ms ROWLAND: We are up to D.

CHAIR: Did we cut you off on C?

Dr Nicholls : For C, serious crime; and for D, as I mentioned, I think there are a number of options. A whole-of-government practice would be a reasonable approach, using the existing sets of relationships between the law enforcement agencies and the major carriers and carriage service providers, each of which has a law enforcement liaison unit. The generation of this type of practice note could in turn either be left as a practice note—if it is going to work that way—it could be converted into an industry code that Communications Alliance would publish, or it could become a service provider rule, as it gets baked in to the conditions of you being a service provider. The basic condition is: you have got to comply with the Telecommunications Act, and this could be a specific provision if there is a belief that having it at one of the other levels would not achieve the results that were expected.

Ms ROWLAND: Lastly, costs. Where the costs incurred—like, what differences would your approach be to what exists now? Dr Michael was just telling us that the consumer would end up bearing the brunt of these costs in the end. What difference is it going to make?

Dr Nicholls : Professor Michael is a co-author with me on a number of papers. We are all good friends. I see that the cost of the law enforcement liaison units in each of the carriers is ultimately borne by consumers currently. Your $60 mobile plan actually includes some contribution to your mobile carrier having a unit that liaises with law-enforcement agencies.

My view and my hope is that this disruption power would not need to be used very often and, as a result, it would be implemented by existing law-enforcement liaison groups within carriers. Would those groups need to be expanded or not? Perhaps the answer is: yes. But I do not believe we are talking about large amounts of money. Data retention has real costs. This has operational costs, but the operational costs of configuring the routing table of a border gateway router are mainly the cost of making sure that the 313 notice on its face was something that the carrier or carriage-service provider could rely on to get the immunity that is provided under 313. The secondary cost is actually provisioning that change.

My view is that provided this regime is doing what I understand the committee intends it to do—that is, to disrupt access to illegal, criminal and highly objectionable material. The previous witness mentioned 30 big providers of commercial child-abuse material. We are talking in the tens or hundreds of sites not in the thousands or tens of thousands of sites.

CHAIR: You have offered legal advice, but the secretariat says we have covered what we need to, technically. Dr Nicholls, you have been very generous with your time and I would appreciate it if we could come back to you if we get bogged down. You have managed to explain it to those of us with less technical background on that, so thank you very much. Thank you for participating in our public hearing today. The secretariat will send you a draft transcript of proceedings, so requests can be made to correct any errors of transcription, and any additional information would be most appreciated.

Mrs Nichols : Thank you for the opportunity.