Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Legal and Constitutional Affairs References Committee
07/03/2018
Adequacy of existing cyberbullying laws

CAMERON, Acting Commander Joanne Lee, Acting Manager Victim Based Crime, Australian Federal Police

CROSSLING, Detective Acting Superintendent Jayne, Acting National Coordinator, Missing Persons and Exploited Children, Australian Federal Police

HARMER, Ms Anna, First Assistant Secretary, Security and Criminal Law Division, Attorney-General’s Department

WARNES, Mr Andrew, Assistant Secretary, Communications Security and Intelligence Branch, Attorney-General’s Department

[14:39]

CHAIR: I now welcome representatives of both the Attorney-General's Department and the Australian Federal Police. I understand parliamentary privilege information and information regarding the protection of witnesses and evidence have been provided to you. I remind witnesses that the Senate has resolved that an officer of a department of the Commonwealth or a state shall not be asked to give opinions on matters of policy and shall be given reasonable opportunity to refer questions asked of the officer to superior officers or to a minister. This resolution prohibits only questions asking for opinions on matters of policy and does not preclude questions asking for explanations of policies or factual questions about when and how policies were adopted. Thank you for your submissions. I invite both agencies to make an opening statement. At the conclusion of your remarks, we will invite members of the committee to put questions.

Ms Harmer : Thank you for the opportunity to appear today on the adequacy of criminal offences for cyberbullying. I thought this afternoon I would provide a brief overview of existing offences relevant to cyberbullying and also, if it is useful, address some of the points that have been raised in submissions to the committee thus far.

The Attorney-General's Department, by way of background, contributes to the whole-of-government response to cyberbullying through the administration and policy responsibility for Commonwealth telecommunications offences contained within the Criminal Code. The department acknowledges that there is justifiably a strong community expectation that the Commonwealth take measures to deter cyberbullying and protect children and young people, and this has been reflected in submissions to the committee thus far. Cyberbullying is captured by a range of existing Commonwealth criminal offences in the Criminal Code including the offences of using a carriage service to commit a serious offence, using a carriage service to make a threat to kill or seriously harm, and using a carriage service to prepare or plan to cause harm to a child. The most directly relevant offence, however, is the offence for using a carriage service to menace, harass or cause offence which is contained in section 474.17 of the code and carries a penalty three years imprisonment. A number of submitters have referenced that particular offence. This offence, like many other Criminal Code offences, is broadly framed and applies to a range of conduct and through that extends to conduct commonly described as cyberbullying. This approach is consistent with Commonwealth criminal law policy, which prefers offences of general application over numerous slightly different offences of similar effect. General offences criminalising classes of conduct avoids the technical distinctions, loopholes and additional prosecution difficulty or appearance of incoherence that can be associated with multiple more specific offences. The existing offences in the Criminal Code are also technologically neutral, focusing on the harmful conduct of the perpetrator rather than any specific communications service or platform. This makes them applicable to the wide range of communications services and public platforms now in use as well as resistance to frequent rapid changes in communications technology.

Section 474.17 of the Criminal Code has been successfully used to prosecute a range of cyberbullying related activity. A number of those prosecutions have resulted in the imposition of significant custodial sentences. For example, in 2015 in the case of Grott v The Commissioner of Police, the defendant was charged with two counts of conduct contrary to section 474.17 as well as state stalking and identity theft offences. The defendant in that case used fake social media profiles to form friendships with two women before undertaking a range of cyberbullying activity including sending taunting and abusive messages, and posting naked pictures of some of one of the victims on Instagram with abusing and derogatory comments. Grott was found guilty and sentenced to three years imprisonment for each count of Commonwealth offence, and that sentence was upheld on appeal. The Commonwealth Director of Public Prosecutions advises there have been 947 charges against 475 unique defendants proven under section 4.74.17 of the Criminal Code since its introduction in 2014.

I should add that it's not possible to precisely quantify the number of instances that relate to conduct that is described as cyberbullying, as opposed to other conduct that may be covered by the offence, but it is correct to say that numerous instances of cyberbullying have been prosecuted using this offence. It's also the case that that data does not include prosecutions that have been conducted by state and territory prosecutorial agencies which are also able to prosecute Commonwealth Criminal Code offences.

The department's submission noted that existing provisions in the Criminal Code already criminalise cyberbullying. But, as the Prime Minister has recently reflected, it is important that every step be taken to reduce the incidence of bullying, whether online or offline, and eliminate it wherever possible. Several submissions to the committee have called for the creation of a specific cyberbullying offence or an aggravated offence where the victim has self-harmed or taken their own life as a result of the bullying. To the extent that it assists the committee, the department makes the following observations that might inform the development of any criminal responses. It is worth noting, though, that more specific offences may not necessarily make cyberbullying conduct easier to prosecute. Indeed, the converse may be true.

Against that background, the department suggests that any additional offences could draw on the existing offence in 474.17, noting the offence's existing application in relation to cyberbullying and its resilience and adaptability to changing technology and community behaviours. Several submissions have sought an increase in the penalty for existing cyberbullying offences. The current maximum penalty for an offence under 474.17 of the Criminal Code is three years imprisonment. Criminal offences, and accordingly the Criminal Code, should remain responsive to developments in antisocial behaviour and consistent with community expectations. The maximum penalty applied to an offence should aim to provide an effective deterrent to the commission of the offence and reflect the seriousness of the offence within the relevant legislative scheme. A higher maximum penalty will be justified where there are strong incentives to commit the offence or where the consequences of the commission of the offence are particularly dangerous and damaging.

We note, however, that when considering any change to the current criminal framework consideration should be given to the potential impact on children and young people. As noted in many of the submissions to this committee, cyberbullying, sexting and other online antisocial behaviours are increasingly engaged in by children and young people and, as a result, there is a risk that any new offences or penalties for cyberbullying will disproportionately apply to children. Criminal sanctions for minors in particular should generally be an option of last resort.

Finally, while the department's role is generally limited to legislative frameworks, we work closely with multiple partners to combat cyberbullying and other online crimes. I take this opportunity to note that education and community engagement to address the underlying causes of and prevention of serious cyberbullying are particularly important. Changing behaviours and preventing offending conduct is of course ultimately far preferable to pursuing punitive criminal sanctions. I thank you for the opportunity to make these comments, and we're happy to answer the committee's questions this afternoon.

CHAIR: Thank you very much. Does the AFP have any additional remarks?

Cmdr Cameron : We're very supportive of the comments made by our colleagues today and look forward to any questions that you might have.

Senator STEELE-JOHN: Thank you for taking the time to be with us today. I have a question for the AFP, and I'm not sure of the extent to which you'll be able to answer this. We've heard a very connecting thread throughout the submissions that victims' interactions with police forces, both the AFP and state based forces, are not as they should be—that there seems to be a lack of officer training with regard to both how to interact with victims and how to apply the law in this space. One of the comments that's stuck with me is that somebody was told, 'Get off the internet, love'. And the observation was generally made that law enforcement's attitude and knowledge in this area in 2018 is similar to where it was in regard to domestic violence 30 years ago. I'm wondering whether you could give us your perspective on where the AFP and Australian policing generally is in relation to both that cultural shift and knowledge required to apply the law.

Cmdr Cameron : Thank you for your question. I could take a very long time to answer it in full, but perhaps I may speak from a position of acting manager of victim based crime for the Australian Federal Police and also some experiences that AFP of course has in a state jurisdiction as they operate the ACT policing in that community policing based context. I acknowledge the challenges that you have brought forward in your question. I acknowledge that there is a range of service that police agencies provide to the Australian community and I recognise and accept that some of that service needs improvement.

In relation to what we are doing in relation to victim based and victim centric investigations, such as this issue that we are here today speaking about, cyberbullying, we can extend that to broader victim based crimes. You mentioned family violence and domestic violence. I could make mention of investigations that relate to human trafficking in slavery and other victims in the community who are extraordinarily vulnerable—that the connection that police have with those vulnerable victims needs to be very focused in terms of our training and understanding of how those victims present. And I can say that police agencies across Australia and the world are very attuned to the need to provide their frontline members with the adequate skills, training and awareness. The vulnerable victim, when they come to a police agency to interact with them about their criminal complaint, needs that nuance.

I recognise that there is a way to go. The Australian Federal Police delivers a continuum of training to its members around victim based crime, recognising that unique interaction and the skills that a police officer needs to bring forward when someone makes that complaint, and I recognise that it sits very fairly and squarely in this space of cyberbullying. The other challenges to our police front line are of course our own understanding of technologies and our own generational challenges, shall I say, where the younger generations are far more tech savvy and tech aware than perhaps some of our police are. So, again, there's an acceptance that we need to be delivering technology training and cyber training to equally understand the platform that they're operating in so that we are effective in the way we respond and investigate and gather evidence.

Senator STEELE-JOHN: And you are actually delivering that training currently?

Cmdr Cameron : I can speak absolutely on behalf of the Australian Federal Police. We have a specific victim based crime continuum that absolutely recognises vulnerable victims. And, as I mentioned, that skill development goes more broadly beyond cyberbullying investigations but certainly to any victim based crime that we investigate.

Senator STEELE-JOHN: Would you be able to provide the details of that program to the committee on notice?

Cmdr Cameron : Yes. We'd be able to take that on notice.

Senator STEELE-JOHN: We're looking for frameworks that we could promote to address this issue, because it does seem to be a problem in state based jurisdictions. Going specifically to the cultural element, not only for how your officers interact with victims but also how your officers flag when they themselves are victims of cyber based abuse, is that fully covered within the training you're providing to your officers at the moment?

Cmdr Cameron : If I may ask a clarifying point, do you mean a reference to the fact that police may themselves be targeted as victims?

Senator STEELE-JOHN: Yes. Officers obviously have an online experience themselves and are sometimes subject to these types of abuses. When we were hearing from DCI Mahoney from New South Wales, she was speaking about the way in which this cultural push that has come down from the commissioner had also embraced ensuring that officers know that they can flag experiences that they are having in this space. So, I'm just wondering: is that part of your training as well?

Cmdr Cameron : The training I've already made reference to is perhaps more operationally focused in relation to our operational context of investigating a crime that has been reported to us. But certainly we're also very aware of the welfare issues within our organisations, and we obviously have frameworks that allow for our members to come forward—welfare services and our wellbeing services—if they themselves were subject to that sort of behaviour. And could I also extend that to a code-of-conduct kind of issue such that we are certainly aware of reminding our workforce that we ourselves demonstrate online behaviours that are expected of our community.

Senator STEELE-JOHN: I'm not a resident of the ACT, but I have ended up working there quite a bit now. So, if I as a person with a disability made it known to the AFP that I'd been a victim of, say, image based abuse—which quite a high proportion of people with a disability are—you would expect that my interaction with your frontline officer would reflect your commitment to victim care and those kinds of issues that you were talking about before?

Cmdr Cameron : Yes, I do stand by the training and the frameworks that we give our workforce. Of course, having said that, I also stand by the fact that it's regrettable that occasionally certain specific examples come to us that perhaps do not display those sorts of activities that would align—

Senator STEELE-JOHN: Of course.

Cmdr Cameron : So I stand by the frameworks of our training and our customer service training that we give our frontline.

Senator STEELE-JOHN: Thank you so much for your time.

Senator PATRICK: Mr Warnes, my questions are in relation to the issues that have been raised throughout the inquiry about police and law enforcement authorities getting access to data that would assist identifying a perpetrator. My understanding is that ISPs are required by law to collect metadata but there are limitations imposed by the parliament on what that metadata can be used for, and those limitations focus around national security and terrorism. Is that correct?

Mr Warnes : I will pass to Ms Harmer, who has quite a bit of experience on the data retention regime.

Ms Harmer : It is correct that the parliament did pass legislation that requires communications service providers to retain various telecommunications data for a period of two years from the creation of that data. That data is then accessible under provisions in the Telecommunications (Interception and Access) Act. There are some restrictions on it but they are certainly not as tight as you have laid out. The data is accessible for the purposes of the investigation of offences against the criminal law, the protection of public revenue and there is another category as well that is in the civil space.

There is not a restriction that limits that use to national security. Indeed, telecommunications data is particularly useful and used to identify perpetrators and to follow up leads in offences that use telecommunications for their mode of engaging in the conduct. In fact, one of the issues that was raised during the passage of that particular legislation is that often the lead information is not the information of the perpetrators but the lead information of the victims and tracking back from there. That information is now stored by providers and is accessible to law enforcement agencies, both state and federal, under authorisations issued by a senior officer within that agency.

Senator PATRICK: The exception to that, I recall, is for journalists. Is that correct?

Ms Harmer : Again, that's not so much an exception as a particular threshold that must be met. There is a limitation in that information in relation to a journalist for the purposes of identifying a journalist's source requires a warrant before that information can be obtained to identify their source. In the event that a journalist was being investigated for the commission of a criminal offence in their own right and not acting in their capacity as a journalist, that limitation would not apply and their data could be obtained, much as any member of the community who is engaging in criminal conduct could have their data obtained.

Senator PATRICK: Including parliamentarians, rightly, as well.

Ms Harmer : The law applies equally to all—that's correct.

Senator PATRICK: Evidence presented to us has been that people have gone to the police and said that someone has trolled them or put up a post and so forth and the response from the police has been, 'We can't get access to that data because of privacy concerns.' Can you talk me through what your understanding is of the ability of police, state and federal, to, in circumstances where prima facie a crime has been committed, access that data and work back and find the source of the communication?

Ms Harmer : It is fair to say that there is a range of operational challenges, and I might pass to my colleagues in a moment to reflect a little bit more on the challenges in investigating offences when it comes to a particular complaint. In relation to the legislative frameworks, at the Commonwealth level there are exceptions to privacy for the enforcement of the criminal law. So privacy legislation per se is not an obstacle when it comes to the enforcement of the criminal law. There are, nevertheless, protections in relation to communications data and the like and information that is inherently personal. Again, that's the data retention legislation that I mentioned previously which ensures that a particular threshold is met before that information can be accessed. But on the face of the legislation it is possible to request information to investigate offences under, for example, section 474.17.

What the case may be is there may be investigative challenges in following down particular leads. There may then be challenges in obtaining material in an admissible form to support a prosecution—for example, information that is held by social media companies that are based offshore. Obtaining that information in an admissible form can sometimes be a challenge in the sense that it takes considerable time. But the information is available. The question is: how easy is it to get? There can be some operational challenges there.

Cmdr Cameron : We are very supportive of the comments made by my colleague. Identity of the perpetrators in crimes such as cyberbullying is perhaps one of the more key challenges that we have. As mentioned, the information that we're seeking around the subscriber of the account, for example, often sits offshore, and accessing that information can take some time. If it's to be presented in a court in an admissible format, that can take up to years through the mutual assistance request processes. In terms of the framework for accessing it, we access it through an exemption under the Privacy Act.

Senator PATRICK: You're describing a circumstance where it's problematic in law or in practice; that is, where the perpetrator is overseas. We heard from a victim today—

CHAIR: The ISP.

Senator PATRICK: Where the ISP is overseas, sorry—thank you, Chair.

CHAIR: I shouldn't interrupt you; I think the social media service is overseas.

Senator PATRICK: One of the witnesses today was talking about a domestic violence scenario where, one presumes, the perpetrator was, in actual fact, in Australia. Can you give me the circumstances where the ISP and/or the perpetrator is in Australia, and what the difficulties or challenges might be?

Cmdr Cameron : It's a matter of going through the processes of seeking that subscriber information to confirm the subscriber details for an account which often doesn't have a sensible name—links to the identity of the suspect that you'd expect the victim could've brought forward to police. Then it's a matter of the basics of investigative processes. There are a number of lines of inquiry that can be undertaken. Having noted some of the challenges, they sit within the normal realms of lines of inquiry. Speaking to people, taking witness statements and taking screenshots and documentation that might be accessible by the victim can all build towards—

CHAIR: Can I ask a supplementary question to Senator Patrick's question. The example given to us today—you could review the evidence and perhaps take this on notice—was of someone who was being cyberbullied by their former partner, but was told that there could be no action taken unless she could provide the IP address for that person, in order to get a warrant to investigate that. Does that ring true to you?

Senator IAN MACDONALD: To identify the locality of the—

Ms Harmer : If I may, one of the things we could do is to look at the evidence that's been given. But the challenge is in following through a particular scenario that's been drawn to the attention of a committee, where we won't be familiar with the particular circumstances.

CHAIR: I guess what we're trying to work out is: if there are legal impediments to getting that kind of work done, we need to know what they are so that we can reflect on them.

Senator IAN MACDONALD: Can you access IP address metadata? The evidence given to us is that it's for security purposes, or national security, but you can't use it to find a person—not to use as evidence, but to find a person—who is guilty of a crime.

Ms Harmer : If I can be direct, it is not correct to say that telecommunications data, including an IP address, can only be obtained for national security matters. It can be obtained for criminal matters, which would include an offence such as 474.17. Indeed, one of the features of the data retention legislation was the key challenge that IP addresses are quite transitory—they can be changed quite quickly—and that information was not being stored by telecommunications providers. It is now being stored, and has been stored now for over 18 months. It is possible to make a request for that information.

I think the difficulty I was alluding to previously was in not wanting to draw a conclusion about whether the response that that particular victim received was one of a misunderstanding of the law, or a level of service that was not consistent with the standards that police service might normally apply. But I am very happy to talk about systemic issues and legal frameworks. In terms of access to telecommunications data, it is absolutely the case that it can be sought and obtained for the enforcement of the criminal law. So policing services, whether state or federal, where they have identified that an offence has been committed, can seek telecommunications data for that purpose—

Senator IAN MACDONALD: From the courts?

Ms Harmer : No, not from the courts. They can go directly to the provider. It's an authorisation process that requires an authorisation by a senior officer within the agency. I think it's an inspector—

Cmdr Cameron : Superintendent.

Ms Harmer : Superintendent level that can issue an authorisation. It needs to meet certain criteria, which are effectively that the intrusion on privacy is justified to obtain this piece of information.

Senator IAN MACDONALD: I would like you to have a look at the evidence of a witness who was a journalist and came with the Media Entertainment and Arts Alliance—I forget the name of the journalist—who had a series of quite outrageous threats. I'm not asking you to look at her individual case but the sort of complaints she was registering about the police. She claimed they were incapable of doing that because they couldn't find the address or the perpetrator. Could you take that on notice without commenting on her individual case but rather on her comments about the police being unable to find who was doing this?

Cmdr Cameron : Sure. I might just caveat our response in this way: I respond to the committee within a framework of the operational processes of the Australian Federal Police. I daren't speak more broadly than our agency on whether the matters drawn to your attention are as a result of other police agencies' operating framework. I cannot comment on that.

Senator PATRICK: Just to be clear from the Attorney-General's perspective, the law does allow for state police forces in the investigation of prima facie criminality to access that data as well, where a superintendent gives approval.

Ms Harmer : Absolutely. The Telecommunications Interception Act is the legislation that regulates it. It is a national scheme; it is not just for federal agencies. It regulates both the interception of communications—that's that real-time recording of communications—and access to stored communication—text messages and the like as well as communications data which identifies the parties to the communication, when it occurred and for how long. It is a federal scheme accessible to a specified list of agencies, which includes all state and territory policing agencies.

Senator PATRICK: I seem to recall there is a report you put out every year to indicate the numbers—

Ms Harmer : There is an annual report that provides not just the numbers of requests but also the crime types at a level of generality. So it uses a categorisation model which has been endorsed by a national body that looks at crime types. It does provide a breakdown of the nature of offences that are under investigation.

Senator PATRICK: That's very helpful. To deal with another problem that has been raised: when you have access to metadata, it has been said that a perpetrator may adopt a pseudonym or some other sort of anonymity by creating new accounts and so forth but that, ultimately, could be tied back to an IP address. If someone is switching identities, one would have thought that could be tracked using metadata.

Ms Harmer : I think that's where we get to the operational challenges that I alluded to before. One of the values of the data retention legislation is the ability to track an IP address and something that might be associated with a pseudonym or fake profile and track that back to a real-world person. It's not infallible in that regard; it relies on the ability to check the registration and there are certain obligations, for example, in the communications portfolio on providers to record certain information about the subscriber to their services so it can be linked back. What the telecommunications data does is to provide lead information that can then support investigations and be linked with other material and other investigative leads to identify a real-world person.

Senator PATRICK: My understanding is—I do have an engineering and software background—the metadata access would enable you to at least initiate an investigation and then the point at which you look at the substance or content of the communication requires a warrant, doesn't it?

Ms Harmer : It absolutely does, yes.

Senator PATRICK: But you can move from that step to the point where you've got a warrant and you can then capture images, conversations and emails, because we also heard, in the previous hearing, a suggestion that some of this stuff—and it might've been overseas, to some of the media people—was in fact orchestrated in some way by groups of people who seemed to take pleasure in harming people.

Ms Harmer : There have certainly been some prosecutions of people who take pleasure, if you would describe it that way, in causing great offence, distress and anguish to people, and one example of the ways it has been prosecuted under 474.17 is of a man who defaced tribute pages to two young people who died in quite tragic circumstances—I think one took his own life and one had been quite brutally murdered. That person defaced the website pages with quite offensive and distressing information.

In terms of the content point that you made, there would be a question about what investigative techniques would be appropriate once that telecommunications data has been obtained. There are a range of warrants available under the Telecommunications (Interception and Access) Act. There are warrants for the interception of communications. They are more limited in their availability. They are limited to particular, serious classes of offences, and the parliament has determined that they ought to be limited to particular classes. Stored communications warrants allow access to stored communications—emails, text messages and the like—that might be stored rather than in transit over the telecommunications system, and they are available for serious offences, which are those with a penalty of three or more years imprisonment, and so include the offences that I described in my opening statement.

Senator PATRICK: In effect, the evidence you've just given to the committee is that the laws that we have in place allow the prosecution of people who are menacing and harassing—that would fall within the category of cyberbullying—and, in actual fact, it sounds like you've got the tools available to you. So what would perhaps lead to some of the reluctance—and I understand this—is a lack of resources? Would that be a fair statement?

Cmdr Cameron : I think we have led ourselves to the issue of resourcing, and the tools and the legal frameworks that police have available to them. Putting those into operational effect is resource-intensive, depending on what strategy is being deployed. I would also like to bring to the committee's attention that cyberbullying and the investigation under section 474.17 is often the remit of state and territory law enforcement, and the reason for that is: under the protocol for law enforcement agencies on cybercrime investigations, any technology-enabled investigation into technology-enabled crime such as this is a lead for the state and territory agencies to take forward as an investigative focus.

Senator PATRICK: And that's by agreement or choice?

Cmdr Cameron : That's by agreement under the protocol that was led through an ANZPAA forum to set the framework for cybercrime investigations so that there was a protocol of who would have the lead on those kinds of investigations—so those sorts of investigations that may happen in a face-to-face context, such as bullying or harassment, and if it's using a carriage service that then leads us to a cyberbullying investigation. That is a lead for the state and territory police to take forward, whereas, if we talk of other cybercrimes, like denial of service attacks and those sorts of infrastructure investigations, there is a different lead in relation to which law enforcement agency takes forward those kinds of investigations. For the average person who wants to make a complaint under these offences that we're speaking of today, it is, more often than not, the vast majority of times, their local law enforcement, their local police service, that is taking forward those investigations.

Senator PATRICK: Then it becomes a matter of severity, which can sometimes be a little subjective. Take some of the stuff we heard today, which was quite shocking and led to a physical assault, versus someone who says, 'I don't like what that person said.' Are there guidelines for that?

Cmdr Cameron : It's the protocol that I referred to, about guidelines as to which agency would have lead—

Senator PATRICK: But, having decided that it's a state based agency—and maybe you can't comment—when a referral goes to the AFP there are a series of questions that are asked in deciding whether or not you investigate.

Cmdr Cameron : That's right. And decisions around these sorts of investigations would naturally lead to that person being referred to their state or territory police agency.

Senator PATRICK: The New South Wales police suggested to us that in one circumstance—and it didn't sound like it was super-definitive data—it took more than six months to get access to user information from a social network platform. That may have been an overseas related matter, so, once again, there's complexity there. So that we understand the toolkit—and your evidence has been fantastic in that regard—what's in your kitbag to oblige a social media platform to give information and to respond in a particular time frame?

Ms Harmer : There are probably a couple of things I can say there—noting, of course, that we haven't had the opportunity to see the evidence in relation to that particular scenario. There certainly are challenges in obtaining material, as I said before, in admissible form. That challenge can arise where relevant material is held overseas and where it is held by a provider who is based offshore. There is a process for obtaining that material and there is a process for ensuring that that material is obtained. That is the mutual assistance process, which is a form of international cooperation in criminal investigations under which a national government can make a request for evidence to be provided. It can be a process that takes some time. It can take the amount of time you alluded to in your question—six months or potentially more—or it can take less. We prevail upon our international colleagues to provide assistance in urgent and time critical matters, but it is fair to say that it can take some time. The time that is taken, though, is to obtain content in admissible form. There certainly are things that can be done without the content being in admissible form. The delay that arises there is the delay in being able to have material that can be adduced before a court.

Domestic frameworks allow us to obtain the kind of information that might be of assistance in progressing an investigation. For example, in the cyberbullying context you typically have a victim who has come forward. Unlike some crimes, where you'll have no visibility of either party, you'll have some visibility and the victim will be able to provide some information. You then have some lead information to progress your inquiries. The challenge then is in building the case so that it can be referred for prosecution. That's where the delay—assuming that I've understood the scenario you explained to me correctly—can sometimes arise.

Senator PATRICK: I would imagine that if I went to Facebook Pty Ltd they might well have their servers internationally. It would be a situation where an Australian company is providing the service but the cloud based service is actually located overseas.

Ms Harmer : That's correct.

Senator PATRICK: Does that present a problem for you?

Ms Harmer : In the Facebook example there's no Australian company providing the service. You might have a carriage service provider who's providing an internet access layer but they'll have no visibility of the traffic that's going over that layer. The Facebook or other hypothetical social media provider is based exclusively offshore and may not even have a presence in Australia. That can create some challenges, but certainly there are cooperative relationships, both at an informal level and from that international crime cooperation perspective, where there can be formal requests for assistance.

Senator PATRICK: If the data's attached to an incorporated company or a Pty Ltd company but the server's in Australia, does the jurisdiction for you to get access to that information centre on the fact that it's physically located in Australia, or is it complicated by the fact that the owner, or the caretaker, of the data is an international company?

Ms Harmer : As a hypothetical, potentially yes, but in my experience of the way international communication services are provided I can think of only one free mail service that is actually based in Australia. I don't think it has much usage these days. The vast majority of services that are being used are either provided by a domestic carrier, and then they would be within our jurisdiction for requests—

Senator PATRICK: And hosted overseas.

Ms Harmer : or they're provided by carriers offshore. I don't think I found an instance where the data is stored here but is provided by services based offshore, if that's what you are suggesting.

Senator PATRICK: It is, but I just wonder whether or not that then requires the parliament to place an obligation on the Pty Ltd to be able to respond to police, so you don't have to go back through an international police agency to get to data that has been effectively set up through a Pty Ltd.

Ms Harmer : Where you've got information that's within the custody and control of the company that's within jurisdiction, then there would be a range of tools that might be available, but, I have to say, I just haven't seen—

Senator PATRICK: Do you need more tools? Maybe you'd like to take that on notice.

Ms Harmer : I think that's something I'd need to refer to the AFP to have a look at.

Det. Supt. Crossling : I think there's relevance in other crime areas, most definitely. Certainly, I'm thinking foreign bribery but perhaps not in the cyberbullying context.

Senator PATRICK: Thank you.

CHAIR: I might begin by asking the AFP how they go about investigating snowballing cyberbullying where there is a cluster of perpetrators against a victim and where a lot of that online harassment and abuse would meet the criteria within 474.17, particularly where you've got perpetrators who are perhaps right around the country and victims who are quite mobile as well.

Cmdr Cameron : I can't specifically draw a case study example for you, unfortunately, and I do accept the complexities that the platforms of the internet and the like create in terms of multiple offenders where a groupthink type arrangement can happen, and someone's being castigated online by a variety of people against them. I do draw certainly the investigative focus of these crimes back to the investigating agency. Irrespective of whether it is a singular event of harassing or menacing or it is a cluster, it really draws itself to an aggravation of that offence, rather than a need to shift it to a different jurisdiction.

CHAIR: In a sense, I'm interested in asking what you do to prevent these offences. We had lots of evidence from women in the media about the fact that, once you're a target, then someone else targets you and someone else targets you and someone else targets you, and you can't seek to bring a charge forward every time it happens. It's like when people need a risk assessment in the same way you protect politicians because they're likely to become victims again from anonymous perpetrators of this. How do you prevent people from becoming victims of these crimes when they are perpetually targeted?

Cmdr Cameron : Perhaps we draw to another important aspect of law enforcement's response to this, which is, rather than an investigation of those transactional crimes, the broader role of crime prevention that the AFP coordinates in this space. Ourselves, along with other organisations and, importantly, state and territory police have proudly put forward a crime prevention initiative called ThinkUKnow, which aims to educate the community—teachers, parents, community leaders and, separately, schoolchildren—in relation to online behaviour.

CHAIR: Yes, I'm familiar with that. What I'm unsure about is where, for example, someone has had regular threats in their letterbox or over the phone. The police need to work out whether those threats are serious and the extent to which you can monitor the safety of that person who has been the victim of those threats. That's what's happening to many women online, and they don't feel like they're getting adequate protection, given that some of them have had experiences where those online threats have indeed translated into real physical threats.

Cmdr Cameron : Senator, I think you've brought a very wicked problem to the situation. The approach unfortunately, for law enforcement is often that, in a transactional sense, insofar as there is an event in which a person is victimised by another and law enforcement's response to that, if it's in the criminal realm, is to investigate that incident or those sets of multiple incidents. You've brought forward a complication insofar as, if this person, as you've described, becomes reputational for being victimised and there are multiple layers of others trolling online—I'm struggling to provide a clear answer of what a law enforcement response is to those situations. It does highlight the need to understand people's online behaviour in general, of calling out perpetration and of people being responsible so that they themselves don't become part of that group that starts to accept that those sorts of behaviours, in a group manner, are acceptable.

CHAIR: If that was happening to me or to another member of parliament, historically, the police have put security around people to ensure that they're safe. What I don't understand is why, when the overwhelming nature of the threats that are made, there's not at least an attempt to get to the bottom of what's going on to try and sweep it clean so that this kind of harassment of individuals does not continue to snowball.

Cmdr Cameron : I think I could comment in a local context. If you were to draw that analogy to a schoolyard or a community where there was a person being targeted by a group of people, that's a containable thing that any law enforcement can respond to not so much prosecution but certainly with restorative-justice-type practices to bring those groups together to call out the behaviour. When that behaviour is spread across multiple states and perhaps even overseas, I accept the complexity of the issue that you put to us.

CHAIR: Ms Harmer, is there anything you can add about the laws that the AFP and others have to operate within and the limits of those laws in terms of trying to address the kind of behaviour that I've raised?

Ms Harmer : The difficulty is that the law is, in some respects, a blunt instrument. This is where we need to look at the problem from the full continuum. The law, typically, deals with the end aspect of it, so we're looking here at offences and prosecution. Offences and prosecution serve particular purposes. They serve to punish. They serve to deter. But, in terms of avoiding recurrent behaviour, repeat offending and copycat offending, that's where you're looking at the kinds of strategies that the eSafety Commissioner has outlined in education and interventions through reporting, investigation or harm-minimisation strategies. Unfortunately, policing agencies are not in a position to provide personal protection, for example. MPs fall, obviously, into a particular category, where, because of their status, there is some additional protection that's provided there.

CHAIR: But the kinds of abuse and threats made in these instances are quite similar.

Ms Harmer : That's right. There is, in some instances, advice that policing agencies can provide. While they do investigations, they also provide advice about personal protection. I'm conscious of the point that Senator Steele-John made before about ensuring that it doesn't become the victim's fault and they then need to take action themselves, but policing agencies do provide advice about harm minimisation where a person has become a victim of a crime. The issue you've raised about repeat offending—the law is a difficult instrument to apply to repeat offending by multiple offenders. That's going more to a prevention and education piece. Because of the way criminal responsibly works, it naturally should apply to an individual, and each case can and should be treated as an individual offence. As you say, those threats that are received need to be investigated.

CHAIR: The only parallel I can draw therefore is, when bullying takes place in a workplace or a school environment, there's a duty of care for the institution to tackle the culture within that institution. We have a policy that individualises, but we've never adopted a policy that holds to account Facebook, Twitter or other organisations that provide the platform for this kind of traffic—if it's workplace bullying, the workplace is accountable for preventing bullying between colleagues. What can we do to make sure that the virtual environment, because more and more people live so much of their lives in it these days and it is a workplace for many people, is held accountable for holding at bay people's bad behaviour?

Ms Harmer : That would be something that both the eSafety Commissioner and, potentially, the Department of Communications would be better placed to answer. As I said, the Attorney-General's Department provides support and engages with a range of agencies but our responsibilities are largely confined to the creation of those offences. What providers can do is provide a measure of assistance. There is a question about what else they should be required to do but providers do provide a measure of assistance. The question is: what is practical and feasible that they can do?

A range of social media providers take action to prevent their platforms being used to disseminate material that would be criminal in nature. They have certainly done a lot to prevent the use of their platforms for the dissemination of child exploitation material or child pornography and have done quite a bit as well in relation to the promotion of violent extremism. That's been done through cooperative mechanisms rather than through legislative obligations, so I think it is fair to say that there is a reasonable expectation that the providers of services take steps to ensure that their platforms are not used for criminal conduct but I think I would leave to you the question of what obligations should be placed upon them, noting that there are some practical considerations.

There are often assumptions that it is very simple to deal with some of these challenges. I think it is indeed actually quite vexing. Some of the suggestions that have been made about what providers could be required to do are quite nuanced and quite challenging. Without wishing to reflect upon victims, look at the prevention strategies and education strategies that can be used around how we deal with the modern communications environment, how we deal with social interactions so we are not then getting to the end of only using either criminal offences or obligations on the provider of services after the conduct has occurred because anything that the provider does necessarily occurs after the conduct has occurred. Anything policing does occurs after the conduct has occurred.

CHAIR: Yes, but anything a provider does does not necessarily have to be after the conduct occurs. There is no reason a virtual world environment provided by Facebook should be any different to a workplace in terms of preventing people from making personal attacks that promote violence or death threats and the like. Just like there is an onus on the workplace employer to prevent that kind of behaviour at work, surely we should be able to look to what we can put in place. Many of our witnesses have called for a duty of care for large media organisations such as Twitter and Facebook. They think that if there were civil penalties for failing to provide that duty of care that that would be a key driver for preventing what is currently normalised behaviour.

Ms Harmer : I can see the principle behind the suggestion. To the extent that there is an analogy between a workplace and a social media provider, the social media provider gives effect to that through its terms and conditions et cetera and the messages it provides to its users, a workplace is in a different position because it has supervisory responsibility for its staff. I think a better analogy for the workplace would be, for example, in the foreign bribery context, where there are laws before the parliament that a workplace must prevent that behaviour.

CHAIR: Notwithstanding the fact that people conducting this behaviour are breaching the terms and conditions. What is the duty of the provider to ensure that people are participating do not breach them because of the very real harm that comes to victims?

Senator PATRICK: In the European Union, in Germany, there was a reference made to laws passed in Germany that imposed very hefty fines upon Facebook and other such platforms.

Ms Harmer : We might be getting into territory where this department is not as well-placed as the eSafety Commissioner might be to comment on these suggestions. I think the eSafety Commissioner could potentially be more helpful to the committee in this regard.

We would draw to attention the challenges in implementing something like that and how you would give effect to that. Without having seen all the evidence that they have given, I would be confident that the social media providers would say that there are challenges in identifying the material. Many of them include reporting mechanisms, so that users can click 'report' and provide information back about things that are offensive or harassing. I am probably a bit old school and it is more about text messages than social media, but tone and intent is very difficult to detect. If you put yourself in the position of someone who is not a party to the conversation to review and take responsibility for that, that is quite a challenging position to be put in. So we would make those observations about the challenges and the broad sense of social obligation, but the eSafety Commissioner is probably best qualified to comment in that space.

CHAIR: We have spoken to the eSafety Commissioner. She hadn't yet done any research on what's going on in Europe. Have you had a look at what's happening in Europe and the change in laws and the responsiveness of their services? Evidence that we have received from other organisations is that material is taken down much more quickly than is currently the case here in Australia.

Ms Harmer : Again, I think that would be an area where the eSafety Commissioner would be more qualified. We haven't reviewed in detail the European position, and, again, I think the eSafety Commissioner would have the expertise and the ability to contrast that, noting that they have that role in facilitating takedowns.

Senator PATRICK: The evidence provided to us suggested that the offences related to racism.

Ms Harmer : That's correct. Germany has a long history of having much more stringent offences that are based on their history of anti-Sematic conduct, and there are some offences over there that not only would not be offences within Australia but also would be contrary to some of our principles that are fundamental to our legal system.

Senator PATRICK: The principle was that they were laws associated with racism and it was simply the deterrent effect that caused Facebook to employ a whole range of new employees to deal with the problem—noting that there was a substantial fine that they were going to be subjected to if they didn't get it right.

Ms Harmer : There may be some questions about how you drive appropriate corporate behaviour, but, in terms of legal obligations, the space that we work in is not one where we have found that increased legal obligations has necessarily been as effective as collaboration. But perhaps the German experience provides a contrast. Again, though, it seems to be that the effect has been around takedowns. I would again perhaps refer to our colleagues in the eSafety Commissioner's office about how you drive appropriate corporate behaviour and whether offences is the right way to do that.

CHAIR: I don't think the committee has any further questions. Thank you all for coming to give evidence.

Committee adjourned at 15 : 37