pdf (38.83 KB)

Review of Regulation of Access to Communication Under the Telecommunications (Interception) Act 1979

1. The Office of the Privacy Commissioner (the Office) is an independent statutory body responsible for promoting an Australian culture that respects privacy. The Office has responsibilities under the Privacy Act 1988 (the Privacy Act) for the protection of individuals' personal information that is handled by federal and ACT government agencies, personal information handled by all large private sector organisations, health service providers and some small businesses. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers; and personal tax file numbers used by individuals and organisations.

Previous submissions

2. In April 2002, the Office made a submission to the Senate Legal and Constitutional Legislation Committee (the Committee) Inquiry into a number of anti-terrorism Bills. In that submission the Office considered proposed amendments to the Telecommunications (Interception) Act 1979 (the Interception Act), in particular in relation to stored communications such emails, voicemails, SMS and MMS messages.

3. In June 2004, the Office made a submission to the Senate Legal and Constitutional Committee’s Inquiry into the provisions of the Telecommunications (Interception) Amendment (Stored Communications) Bill 2004.

4. In June 2003, the Office made a submission to the Review of Certain Provisions of the Telecommunications (Interception) Act 1979, which related to two categories of warrants: named person warrants and foreign communications warrants.

5. Each of these submissions is available on the Office’s website at http://www.privacy.gov.au/publications/index.html.

This submission

6. This submission addresses the Terms of Reference of the Review of the Regulation of Access to Communications.

7. The Office has not undertaken a comprehensive assessment of the telecommunications interception regime, but rather has focussed its comments on recent changes.

8. Apart from the present temporary situation with regard to stored communications, the Office believes that the Interception Act generally provides an appropriate framework for the regulation of access to telecommunications.

9. The Terms of Reference for this Review are as follows.

1. The review should have particular regard to:
   1. the objective of protecting the privacy of users of the Australian telecommunications system
   2. the assistance that access to the content of telecommunications offers in the investigation of serious crime and threats to security, and
   3. the objective of providing certainty both to agencies seeking access to the content of communications for investigative purposes and for users of the Australian telecommunications system.
2. The review should also consider and comment on the following issues:
   1. the ongoing appropriateness of the current telecommunications interception regime, including, if relevant, alternative arrangements for the protection of, and lawful access to, the content of telecommunications
   2. the protection of information systems from attack by means of the telecommunications system, including the use of intrusion detection systems and other measures for the identification of malicious attacks
   3. the cost implications, including cost recovery mechanisms, associated with the disclosure of the content of communications by telecommunications service providers, and
   4. such other issues as necessarily arise in a broad examination of the most appropriate means of access to communications.

10. Comments against the Terms of Reference are outlined below.

1(a) – Protecting privacy

11. The primary objective of the Interception Act is to protect the privacy of individuals who use the Australian telecommunications system. The Interception Act does this by making it an offence to intercept communications passing over the telecommunications system. The Interception Act also specifies the circumstances in which it is permissible for law enforcement agencies and the Australian Security Intelligence Organisation (ASIO) to intercept communications under the authority of a warrant subject to reporting and accountability mechanisms.

12. In general, people expect their private conversations, including those via telecommunications systems to be free from intrusion by state and commercial interests. This expectation is limited where there are prevailing interests of national security and law enforcement relating to serious criminal offences.

13. All private conversations conducted over the telecommunications system, whether by telephone, internet chat, email, SMS, or other telecommunication means, should, where practicable, be afforded an equivalent level of privacy protection.

14. However, during the 12 month period while the Telecommunications (Interception) Amendment (Stored Communications) Act 2004 (the Stored Communications Amendment Act) is in effect, stored communications including emails, voicemails, SMS messages, MMS messages are not receiving adequate protection.

15. The Stored Communications Amendment Act removes stored communications from the protection of the Interception Act for a 12 month period. Consequently, during that period the Interception Act cannot meet its primary objective with respect to stored communications.

16.Evolving technologies have led to a substantial increase in the use of stored communications. Increasingly, these media are an integral and ordinary part of our personal communication with others, illustrating that such stored communications are little different in how they are used and accepted by individuals to traditional voice telecommunications, or related technologies such as instant messaging or Voice over Internet Protocol (VoIP).

17. Increasingly, individuals rely on stored communications for private or intimate conversations, in the same way they would a telephone conversation. It could be argued that reading someone’s stored communications is as intrusive as intercepting a voice telecommunication and therefore should be subject to an equivalent level of privacy protection.

18. By establishing a different regime for the protection of stored communications in contrast to “live” telecommunications, the Stored Communications Amendment Act raises the risk that individuals may lose confidence in the privacy and confidentiality of modern forms of telecommunication.

1(b) – Assistance in investigation

19. The protection of privacy often requires balancing competing interests and assessing the proportionality of proposed privacy impacts (see, for example, s. 29 of the Privacy Act)[1]. The Interception Act provides a framework for balancing the relevant interests. Allowing the interception of communications clearly has a detrimental impact on privacy. Such a detrimental impact may be balanced, to some extent, against important law enforcement and national security interests. In addition, appropriate oversight and accountability mechanisms can ensure that the impact on privacy is limited to the minimum necessary.

20. Strong justification is needed for the interception of private conversations. The Interception Act recognises that there are circumstances where it is appropriate to allow law enforcement or security organisations to intercept telecommunications. It limits these circumstances, for example to the investigation of relatively serious crimes (e.g. class 1 or class 2 offences). The Interception Act provides a regulatory scheme that ensures any interception of private telecommunications is proportional to the seriousness of the law enforcement or security issues involved, limited to only that amount of privacy invasion required, and subject to specific accountability and oversight mechanisms, including a reporting scheme.

21. Some recent changes to the Interception Act, such as the introduction of “named person” warrants, have increased the ability of law enforcement agencies to intercept telecommunications for appropriate purpose. This has been done within a scheme that provides for some measure of transparency, oversight and accountability.

22. On the other hand, the short-term changes brought about by the Stored Communications Amendment Act have the effect of increasing an adverse privacy impact while lessening transparency, oversight and accountability protections from the interception of stored communications. In this case, there is a question whether the balance has tipped too far away from privacy.

23. Following the lapsing of the Stored Communications Amendment Act in December 2005, it is likely that investigations into serious crime and threats to security will continue to have access to the content of stored communications, under the terms of the Interception Act, just as such investigations presently have access to the content of “live” communications.

1(c) – Certainty

24. In his second reading speech for the Telecommunications (Interception) Amendment (Stored Communications) Bill 2004 (later enacted as the Stored Communications Amendment Act), the Attorney-General noted that this Bill arose out of two previous attempts to “legislate to clarify the application of the Interception Act to stored communications.”[2] In this context, the measures in the Bill, according to the Attorney-General, “represent immediate and practical steps to address the operational issues faced by our law enforcement and regulatory agencies”.[3]

25. It is appropriate that both agencies seeking access to the content of communications for investigative purposes, and users of the Australian telecommunications system, are clear about their obligations and rights under law.

26. To the extent that recent technological developments decrease this certainty, legislative change could clarify the situation.

27. However, absolute legislative certainty in all respects is not always necessary, particularly if it is at the expense of the protection of individual rights.

28. In addition, the removal of the prohibition on the interception of stored communications may significantly decrease regulatory certainty, because of questions about the residual protection of telecommunications customer information, as discussed in the next section.

2(a) – Appropriateness of the current interception regime

29. The scheme presented by the Interception Act generally provides an appropriate balance between the protection of privacy on one hand, and the investigation of serious criminal activity and threats to national security on the other. In the previous submissions discussed above, the Office has identified a number of areas where the balance may be improved.

30. During the 12 month operation of the Stored Communications Amendment Act, stored communications are not afforded the protections provided by the Interception Act, but rather the less rigorous protections of the Telecommunications Act 1997 (the Telecommunications Act), and, to some extent, the Privacy Act.

31. Under the disclosure provisions of the Telecommunications Act (e.g. Division 3 of Part 13), it appears that access to the contents of stored communications would be permitted by law enforcement agencies, a range of Commonwealth agencies, and possibly others, in relation to the investigation of a broad range of illegal activity, fraud and the protection of public revenue. Similarly, internet service providers (ISPs) and their employees would have a broad capacity to disclose the contents of stored communications in the performance of their duties. In addition to permitting disclosures for specified purposes, this Division of the Telecommunications Act includes general provisions such as s. 280(1)(b), which appears to permit disclosures by telecommunications carriers and carriage service providers, such as ISPs, that are “required or authorised by law”.

32. The Office has not conducted a thorough analysis of the full scope of the protections for stored communications provided by the Telecommunications Act. The examples of permitted disclosures listed above, however, indicate that a much broader range of uses and disclosures of the content of stored communications will be permitted than is presently the case under the Interception Act (e.g. disclosure to Commonwealth agencies acting to protect the public revenue, or to law enforcement agencies investigating minor offences).

33. In the Office’s report on the review of the private sector provisions the Privacy Act, Getting in on the Act, released in April 2005, a number of areas were identified where the interaction between the Privacy Act and the Telecommunications Act is unclear. That report recommended that the Australian Government consider amendments to both these acts to clarify the situation, and that further guidance be provided on the operation of these two Acts (see Recommendations 8 and 10). In addition, the Review identified concerns about the coverage by the Privacy Act of some telecommunications companies such as internet service providers, which are responsible for the passage of many stored communications over the telecommunications system (see Recommendation 9).

34. As a consequence, leaving stored communications to the protections of the Telecommunications Act and the Privacy Act may increase uncertainty about the legal picture, rather than resolve it.

35. In the context of the review by Mr Tom Sherman AO of certain provisions of the Interception Act, the Office identified the risk that personal information not relevant to an investigation may be collected as a result of telecommunications interception. The present review provides the Australian Government with the opportunity to ensure that the Interception Act appropriately protects the privacy of individuals where irrelevant personal information is collected.

36. The Office submitted to Mr Sherman that named person and foreign communication warrants authorise law enforcement agencies and ASIO to undertake more privacy-intrusive forms of interception than were previously permitted. They facilitate the interception of a greater number of telecommunications services and increase the likelihood of the interception of conversations involving third parties who may not be relevant to legitimate law enforcement or national security activities. The Office submitted that while powers of interception may be necessary, they must be accompanied by effective safeguards and accountability and review measures.

37. The Office notes the present consideration by Parliament of the Crimes Legislation Amendment (Telecommunications Interception and Other Measures) Bill 2005, which seeks to implement certain recommendations from Mr Sherman’s review. The further reporting requirements contained in that Bill are welcomed.

38. In keeping with a previous recommendation from this Office in the context of named person and foreign communication warrants, the Office recommends that the Interception Act be amended to provide that personal information not relevant to an investigation, where this information has been obtained under any telecommunications interception warrant, be destroyed as soon as practicable, or in any case within six months of the expiry of the warrant.

39. Also in keeping with previous recommendations, the Office recommends that the operation of the Interception Act should be subject to overall, independent review involving key stakeholder and public consultation at least every five years.

40. In relation to Mr Sherman’s review, the Office generally agreed with Mr Sherman’s recommendations, but indicated a number of areas where the recommendations should go further in terms of oversight and accountability mechanisms.

41. In particular, while welcoming the greater transparency and risk assessment provided by Mr Sherman’s Recommendation 1,[4] it is not clear to what extent the recommended assessment and monitoring of telecommunications interception systems would include the assessment of privacy risks or address areas of privacy vulnerability. Given that the protection of privacy is the primary object of the Interception Act, such an assessment is critically important. As a result, the Office continues to recommend that independent vulnerability/risk assessments outlined in Mr Sherman’s Recommendation 1 should include an assessment of privacy vulnerabilities/risks.

42. Other areas of the Interception Act identified by the Office as needing attention in the context of Mr Sherman’s review include the reporting on privacy-related deficiencies and the details on the face of named person warrants.

43. To this end, the Office recommends that inspecting authorities should include (in their annual reports) details of privacy-related deficiencies and the remedial actions taken, and that intercepting agencies list the telecommunication services identified under section 42(4A) on the face of the named person warrant.

2(b) – Protection of information systems from attack

44. The security of personal information is a fundamental principle in privacy regulation, and is reflected in the Privacy Act, for example in Information Privacy Principle 4, and National Privacy Principle 4.

45. The use of intrusion detection systems for the identification of malicious attacks may involve the automated analysis of telecommunications, including stored communications.

46. It is possible to implement appropriate security measures while still protecting the privacy of individuals. Even if such security measures require actions that are technically “interceptions” of telecommunications – and this is not clear – such access to the contents of telecommunications could be provided for within the framework of the Interception Act, and could be limited to that access which is necessary for data and network security (see, for example, section 7(2) of the Interception Act).

2(c) – Cost implications

47. The Office has no comments on this Term of Reference.

2(d) – Other issues

48. Telecommunications are increasingly conducted via digital media, which means that interception of communications can increasingly be characterised as a form of accessing data. The Interception Act provides one framework for protecting privacy while permitting access to certain telecommunications data, however it may not be the only possible framework.

49. In its landmark 1983 consideration of privacy, the Law Reform Commission explained the importance of protecting communications in these terms: “The need for personal autonomy, the basis of the claim for privacy, implies the individual's ability to exclude others from his communications.”[5] It follows that as communications become more susceptible to interception, there is a corresponding risk to individual autonomy.

50. Any consideration of a change to the framework for accessing communications data while protecting privacy would need to ensure that strong privacy protections and accountability mechanisms are not abandonded. The extent to which Australians can conduct private conversations through a range of communications channels would be significantly reduced were it easier for third parties to monitor those conversations without the knowledge of the parties to the conversation.

51. The framework provided by the Interception Act allows the public interest in safety and law enforcement to be appropriately balanced, in a transparent and accountable way, with the public interest in the privacy of communications, and the various private interests and civil liberties that are furthered by private conversations.

52. The Office’s report on the review of the private sector provisions the Privacy Act, Getting in on the Act, found evidence that there is a notable lack of national consistency in privacy regulation in Australia which creates difficulties for many in the community. Any legislative changes to the regulation of the interception of communications should be considered in the context of national consistency, and the need to avoid a plethora of related and overlapping legislation.