Save Search

Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
 Download Current HansardDownload Current Hansard    View Or Save XMLView/Save XML

Previous Fragment    Next Fragment
Tuesday, 27 October 2009
Page: 7276


Senator STEPHENS (Parliamentary Secretary for Social Inclusion and the Voluntary Sector and Parliamentary Secretary Assisting the Prime Minister for Social Inclusion) (5:05 PM) —I move:

That this bill be now read a second time.

I seek leave to have the second reading speech incorporated in Hansard.

Leave granted.

The incorporated speech read as follows—

1. Over the last few years Australians have rapidly increased their internet and computer use.

More Australians than ever are communicating online to create and exchange information socially and for business.

2. Growth in the digital economy means that most Australian businesses now have an internet presence.

Advances in technology together with consumer demand and cost effectiveness will drive further expansion into the online world.

3. This is very important for the Australian economy. Technology provides the opportunity to reduce the geographical isolation that we experience from major trading markets.

4. At the same time, the ease with which information can be collected and communicated means that even home users have sensitive personal information on their computer.

5. It goes without saying that employers often hold sensitive information about employees and customers such as banking details, medical records and contact details of family members. This information can be extremely valuable to cyber criminals rendering users vulnerable to credit and identity fraud and opening the door to large scale attacks on businesses and government agencies.

6. Securing such information from malicious access is critical to protecting Australians from criminal activity, building confidence in the digital economy, ensuring the integrity of key infrastructure and protecting private identity information from being stolen by criminal organisations.

7. Defending computer networks from criminal and malicious activities is an important first step.

Currently, network operators can undertake protective activities once a communication becomes accessible from a computer server or at an earlier point with the consent of the persons using the network.

8. As attacks become more sophisticated, there is an increasing need for network operators to defend their network at the earliest point.

Currently though, in the absence of the knowledge of users, such activities may be regarded as a breach of the Telecommunications (Interception and Access) Act 1979 (the Act).

While consent can easily be obtained from internal network users such as employees, external users may not be aware that their communications are being monitored.

Yet communications from external users generally pose the greatest risk to networks.

9. This bill amends the Act to ensure that network operators can undertake legitimate activities aimed at securing the integrity of their network and the information it contains.

10. Currently an exemption exists under the Act for network protection activities undertaken by designated security and law enforcement agencies.

Early last year the Parliament agreed to extend the operation of these provisions until 12 December 2009 while a broader solution relevant to all networks, both government and non-government, was developed.

11. The network protection regime proposed in this Bill is the result of active consultation with a broad range of stakeholders including representatives from the business community, law enforcement agencies and user groups.

I note that the Bill has been modified to address a number of concerns raised in submissions in order to strike an effective balance between protecting networks from malicious activities while protecting users from unnecessary or unwarranted intrusion.

12. Central to this, the Bill recognises the general prohibition against interception and clearly identifies the circumstances in which the access, use and disclosure of information for network protection purposes will be permitted.

The Bill does not oblige network operators to undertake network protection nor does it specify any type of technology that must be used.

Rather, it focuses on providing clear guidance about when communications can be accessed for network protection activities and the legitimate use and disclosure of information obtained through these activities.

13. Under the proposed regime, network protection activities that copy or record a communication, without the consent of the sender, before that communication is available to the intended recipient will be unlawful unless certain conditions are met.

Interceptions must be carried out by a person lawfully authorised to carry out duties relating to the protection, operation, maintenance or in limited circumstances, appropriate use of that network.

In addition, interception of a particular communication must be reasonably necessary for the performance of those duties.

14. Once information has been collected it can only be disclosed to a designated person or, in limited circumstances, to a law enforcement agency.

Any such disclosure will be discretionary.

Law enforcement agencies will not be able to compel network operators or employers to provide information.

Nor can information be used or communicated if it is converted into a voice communication in the form of speech.

This means that telephone communications will not be accessible under these provisions, preserving the integrity of the interception warrant regime.

15. The Bill also enables designated government security authorities and law enforcement agencies to protect their networks against inappropriate use.

16. While the majority of threats come from external sources, in order to protect information held in sensitive networks it is also necessary to ensure that persons working in such organisations use the network appropriately or in accordance with the agreed use.

This capability is consistent with the current network protection provisions which enable these agencies to undertake network protection activities for this purpose.

17. As the description of an appropriate action will vary between these government organisations, the Bill limits network protection activities undertaken for this purpose to any reasonable uses and conditions set out in a user agreement.

It is anticipated that existing IT user agreements within these organisations will meet this condition.

Information suggesting inappropriate or illegal conduct by an employee or person working for one of these specified government organisations will be able to be communicated or used for disciplinary purposes as long as that communication or use does not contravene another Commonwealth, State or Territory law.

This specific preservation of State and Territory laws protects workers by ensuring that employers cannot avoid applicable State or Territory workplace relations requirements or workplace surveillance laws by accessing information under this Act.

18. Currently, no such protections exist in the Act.

As network protection activities operate outside the scope of the Act there is no protection or guidance on the legitimate use and disclosure of information obtained by network owners for network protection purposes.

This means that in the absence of other relevant statutory duties, there is a real risk that information can be used inappropriately against network users.

The network protection regime set out in this Bill clearly addresses this gap providing specific direction to all network owners and operators about the circumstances in which communications can be accessed for the purposes of network protection activities and the legitimate purposes for which information can be used.

Other Amendments

19. The Bill also includes several amendments that will improve the effective operation of the Act.

20. The Bill amends the definition of ‘permitted purpose’ in relation to the New South Wales Police Integrity Commission to reflect an expansion in the Commission’s role.

Information intercepted in the course of investigating a serious offence will be able to be used for the purposes of investigating conduct relating to administrative officers of the New South Wales Police Force and officers of the New South Wales Crime Commission.

21. The Bill also clarifies that information that has been intercepted by the Australian Federal Police in the course of investigating serious offences, including terrorism offences, can be used by the Australian Federal Police for purposes associated with the making of Control Orders and Preventative Detention Orders under Divisions 104 and 105 of the Criminal Code.

22. Finally, the Bill makes amendments to the provisions of the Act that relate to evidentiary certificates. The Bill will enable the Managing Director of a carrier to delegate his or her authority to sign evidentiary certificates in relation to interceptions authorised under a warrant issued to the Australian Security Intelligence Organisation (ASIO) and information authorised under a stored communications warrant issued to a law enforcement agency.

23. These amendments replicate current provisions in relation to interceptions undertaken in relation to a warrant issued to law enforcement agencies.

24. The Bill also contains provisions enabling evidentiary certificates to be issued in relation to the access of telecommunications data.

The amendments will ensure that sensitive interception capabilities will not be exposed in the course of court proceedings.

25. These technical amendments will ensure that the Act continues to be clear and relevant in the obligations and powers it places on telecommunications carriers and law enforcement agencies.

Conclusion

26. This Bill will maintain the currency of the Act by ensuring it responds to new and emerging challenges.

The introduction of a comprehensive network protection regime will, for the first time, provide clear guidance on when network protection activities can be undertaken and the conditions that must be complied with when dealing with related information.

By enabling networks to protect their infrastructure and information while recognising the impsortance of user privacy, this Bill marks an important step in this Government’s commitment to building confidence in the online world.

Debate (on motion by Senator Stephens) adjourned.