pdf (98.79 KB)

Our reference 2003/0062

Mr John Hilvert

Communications Director,

Internet Industry Association

Via email: securitycode@iia.net.au

Dear Mr Hilvert

Draft Internet Industry Association eSecurity Code of Practice

The Office of the Privacy Commissioner (‘the Office’) welcomes the opportunity to comment on the proposed Internet Industry Association’s (IIA) draft eSecurity Code, version 1.0 (‘the Code’). [1]

The Office was an observer at a workshop in June 2009 hosted by IIA to discuss security matters facing ISPs and the issues that such a code could cover.

Purposes of the Code

It is understood that the broad purpose of this voluntary code is to guide Internet Service Providers (ISPs) in improving internet security within networks. The Code identifies specific problems associated with compromised computers known as zombies and aggregated ‘botnets’. Problems include identity theft, dissemination of spam and malware, together with the hosting of illegal content such as child pornography. The Code would support ISPs to provide end users with information about security issues, and includes strategies for managing risk and reporting malicious activity.

Specific comments

The Code is intended to coexist with other IIA Codes (including the Spam Code of Practice), the Cybercrime Act 2001 and other relevant legislation. In the context of interpreting the Code, the ‘Act’ referred to at draft clause 1.6 could be specified, as it is unclear to which Act it is referring.

Monitoring of networks

An objective of the Code is to encourage ISPs to actively check for suspicious activity within their networks and to report instances of such activity to relevant law enforcement agencies (clause 2.1(c) and (d)). Clause 6.1 in Part B of the Code states that ‘active monitoring’ may be undertaken by ISPs ‘as part of normal network management activities’. This clause could refer to Item 1 of Schedule 2 of the Code, which sets out a number of ways ISPs can detect malicious activity.

The Code also notes (at 4.1(h)) that the privacy of end users is paramount, and that the Code ‘does not require the surveillance of individual online activity’. The Office welcomes this statement. According to 2007 community attitudes research conducted by the Office, 96% of respondents believed that monitoring of an individual’s internet browsing activity by businesses without the individual’s knowledge was a misuse of personal information. [2]

Although not mentioned in the Code, the Office also notes that the surveillance of individual communications over a network may breach the Telecommunications (Interception and Access) Act 1979 (‘TIA Act’) and could also be an interference with privacy under the Privacy Act 1988 (‘Privacy Act’). The Office has recently made submissions relating to proposed changes to the TIA Act in relation to computer network protection. [3]

The Code goes on to state that the objectives of the Code will advance privacy interests of users by reducing the scope for identity theft (at 4.1(h)). This could be further explained, such as by reference to the impact of malware (Preamble, at 1.5) or email ‘phishing’ activity.

While the code does not require individual surveillance, as part of educating and providing resources to users, the IIA or ISPs could make information available on the extent and purpose of security measures that may be privacy-sensitive to individuals, such as so-called ‘packet-sniffing’. This would be consistent with the Privacy Act’s intention to promote ‘openness’ about information handling activities (see National Privacy Principle 5). [4]

Disclosures to law enforcement agencies

The Code states that in some cases ISPs may be required to report instances of compromises, malicious activity or attacks to relevant law enforcement agencies or to provide reasonable assistance as required by the Telecommunications Act 1997 (at 4.1(l)). Where the disclosure of personal information is involved, the Office considers that it may assist ISPs if the Code specified the relevant provisions in that Act which allow disclosures to law enforcement agencies.

Code Review

The Office supports the provision for review of the Code within 18 months of implementation (clause 9). The Code could briefly outline the intent of the review, such as to assess the Code’s effectiveness in line with its objectives, and any unforeseen impacts.

Coverage of ISPs by the Privacy Act

The 10 National Privacy Principles (NPPs) in the Privacy Act regulate personal information handling by many private sector businesses. The Office understands that more than a quarter of ISPs are ‘small business operators’ (SBOs) within the meaning of s 6D Privacy Act and therefore not subject to the NPPs [5] unless they are trading in personal information. In its recent inquiry and Report 108, For Your Information: Australian privacy law and practice , the Australian Law Reform Commission (ALRC) examined exemptions from coverage of the Privacy Act. [6]

The ALRC noted significant concerns that some businesses in the telecommunications industry (such as ISPs) ‘pose a particularly high risk to privacy’. [7] It recommended that the exemption for SBOs should be removed (recommendation 39-1). On 14 October 2009 the Australian Government publicly released its first stage response to ALRC Report 108. [8] The Government has stated that it proposes to consider the matter of exemptions from the Privacy Act in its second stage response to the ALRC’s recommendations, which will be subject to further consultations.

Noting the Code’s statement that ‘the privacy of end users is paramount’, the Office submits that consumer confidence in the Code and its members would be enhanced if ISPs that are small businesses were to voluntarily opt-in to Privacy Act coverage, under s 6EA of the Act. That provision allows an SBO to choose to be treated as an ‘organisation’ that is subject to the NPPs’ standards and oversight by the Privacy Commissioner. Opting in may be seen as a practical demonstration to end users that a small ISP is committed to respecting and protecting privacy. [9]

If you wish to discuss these comments further please contact Andrew Solomon, Director of Policy, on 02 9284 9708 or by email: andrew.solomon@privacy.gov.au

Yours sincerely

Timothy Pilgrim

Deputy Privacy Commissioner

October 2009