Tuesday, 23 August 2011
Cybercrime Legislation Amendment Bill 2011; Second Reading
This is an area of law of great professional and personal interest to me. I have been analysing, commenting on and advising on the subject matter of this bill for many years, particularly with some of my former colleagues whom I wish to acknowledge today. The intersection between technology, electronic communications, law enforcement and privacy is one which I have witnessed grow and expand from something of a fringe area of law and policy into a household term which we now commonly understand to constitute cybercrime. Indeed, I remember over a decade ago firstly advising on the differences between the breaches of the prohibitions against telecommunications interception in the Commonwealth legislation as opposed to the criteria under the various state and territory listening devices legislation.
Probably the most complex advisory roles at that time concerned 'double jacking', or a third party listening in to conversations between a customer and a call centre operator, usually for quality assurance purposes. There have since been enormous developments in the law, corresponding with the evolution of data collection and storage, access to data, prospective access, access to metadata, as well as the needs of law enforcement agencies to exercise necessary powers to enforce the prohibitions in the Criminal Code Act dealing with crimes using communications devices. Equally, at a practical level, carriers, carriage service providers and carriage service intermediaries have also been required to maintain their compliance and cooperation standards with such agencies to implement these measures.
The term 'cybercrime' is usually defined by way of inclusion rather than exhaustively. It includes the use of a device by means of a network to commit offences against that network, as well as that network being utilised to commit an offence. The expanded use and accessibility of any number of devices—be they telephony exclusive, data or, as in most cases, platform and content neutral in nature—and the explosion in networks and the network of networks that comprise not only what we understand to be the internet but networks capable of storing clouds of data, unfortunately means that capacity for illegal activity utilising such networks is virtually ubiquitous.
It is also why, unfortunately, cybercrime is often associated with some of the most heinous offences imaginable. Part 10.6 of the Criminal Code Act 1995 lists those offences, including: using a telecommunications network with intention to commit a serious offence; using a carriage service to make a threat or a hoax threat; using a carriage service to menace, harass or cause offence; offences relating to use of carriage services for child pornography material or child abuse material; and offences relating to the use of a carriage service involving sexual activity with persons under 16, including using a carriage service to groom persons under 16 years of age or transmit indecent communication to persons under 16 years of age. There is also a series of computer offences listed in part 10.7 of the Criminal Code Act. It is unfortunate that the term 'cybercrime' is now commonly understood to be associated not only with threats to private and national infrastructure, which was the primary focus of the law around a decade ago, but as recently as over the weekend we saw on our television news footage an individual being charged with grooming offences in a sting conducted by police in Western Sydney. It is therefore not without careful consideration that successive governments have approached this complex area of policy and regulation within a prism of seeking maximum evidence gathering and enforcement opportunities. Equally, the successive amendments to the laws including an interception and access regime, which is almost unrecognisable compared to the now superseded primary 1979 act, have not gone without scrutiny from privacy advocates and, for practitioners and operators in the area, the implementation and the practicality of the law have been overriding issues.
I would like to turn to the international arrangements on the issue of cybercrime since the bill before us is intended to set the legislative framework to enable Australia's accession to the Council of Europe Convention on Cybercrime. As noted by the Attorney-General when introducing the bill in June this year, the intent of the convention is to provide systems to facilitate international cooperation between signatory countries as well as establishing procedures to increase the efficiency of law enforcement investigations in this area. This includes the ability of authorities to request the preservation of specific communications, assisting authorities of one country to collect data in another, the establishment of a 24/7 network to provide immediate assistance to investigators and facilitating the exchange of information on these matters between countries. Thus, as described in the convention, its main objective is to develop a common criminal policy to combat cybercrime through international cooperation.
The convention was considered earlier this year by the Joint Standing Committee on Treaties of which I am a member. Australia, as a non-member state, was invited to accede to the convention in September last year. In its report on the convention, the treaties committee noted that, in addition to the crimes referred to previously, cybercrime is a growing threat to consumers commensurate with the value and significance of electronic communications as the most efficient, dynamic and prolific global mechanism for social, professional and business communications.
Despite the range of prohibitions set out in current legislation and the existing powers of surveillance, search and obtaining by warrant available to law enforcement agencies, new threats from cybercrime continually emerge. Again, as the treaties committee noted in its report on the convention, consumers were not only the prime targets of such activity but the nature of networks which do not recognise geographic borders poses an immediate challenge stating:
The Committee notes advice that while Australia currently has specific laws targeting cyber crime—including such offences as unauthorised access, modification or impairment of computers, online child exploitation, copyright infringement and online fraud—law enforcers are increasingly challenged by the transnational and dynamic nature of this type of criminal activity.
In its report, the treaties committee noted concerns raised in its public hearing on the convention, including the potential impact of ratification on the integrity of Australia's regulation of computer communications in the context of the rights of individuals as well as privacy protections and on the capacity of the states and territories to raise and implement the necessary enforcement powers to support Australia's obligations.
As a parallel matter, which I have alluded to, there are the practical issues of implementations by operators. In the public hearing on this matter conducted by the treaties committee in March, I raised the following questions and issues:
For many years I acted for telco operators and particularly when I was in-house we would receive access requests for data going back many weeks or months. For SMSs, being store and forward technology, you would need a server the size of Western Australia to store all of this stuff for some of the periods that were required. I am sure this still goes on today, but we got access requests for communications that were weeks or even months old. The engineering that needed to be done to retrieve them was prohibitively expensive. I know it is revenue-neutral in the end because you have the interception agreements with the Commonwealth.
There was not a process that all of a sudden the carrier would get notified, ‘In a few weeks we are going to ask you for all this information.’ If this is going to work effectively I am concerned that in a very practical sense telcos would not have budgeted for this. I do not think any of them made submissions to the committee.
In response, the departmental witnesses reiterated that the measures proposed in the convention and the amendments themselves would be about preserving material already held by a carrier.
While I accept that advice, it would be remiss not to highlight some of the concerns that have been raised about these issues at a policy and procedural level. Firstly, the treaties committee rightly recognised the growing threat of cybercrime, but it also recorded its awareness that surveillance and data storage by law enforcement agencies does raise fears about privacy with potential threat to human rights and liberties. The committee noted that the convention contains certain guarantees for human rights protection and judicial review. Secondly, the committee placed on the record its concerns about lack of transparency in the review process for this important treaty. In its recommendation 14, in relation to the convention, it recommended the Attorney-General's report to the committee on any proposed amendments to Commonwealth, state and territory law in support of the convention.
Thirdly, I note concerns raised by organisations and privacy advocacy groups, including the Australian Privacy Foundation, as reported in the media and elsewhere, such as guidance on any legal restrictions regarding how data would be used by foreign nations once it was handed over by our domestic law enforcement agencies. I also note, as reported in the Sydney Morning Herald on Friday, the concern that Australia is, per capita, home to more data interception than almost anywhere else in the world. I am very familiar with this, particularly as I was involved in much of the research and commentary in this area that over the past few years fed into Social Implications of National Security, the forum and proceedings overseen by the Research Network for a Secure Australia and edited by Katina Michael and MG Michael.
Fourthly, I note that last Thursday the Joint Select Committee on Cyber-Safety tabled its report into the review of the bill. The report contained 13 recommendations intended to clarify and tighten conditions under which new powers of law enforcement agencies may be exercised. The committee recognised the importance of enabling Australian agencies to work with their international counterparts, particularly in relation to crimes against children. As stated by the chair, Senator Bilyk, these views were unanimous with the intention of allaying fears about the potential to misuse these powers and ensuring that they are actually available to fight cybercrime but also that the public has confidence in the scheme. One of the most important points made by the committee, and it goes again to the line of questioning which concerned me at the Joint Standing Committee on Treaties, was that this is not a data retention scheme and it does not allow foreign countries to demand access to private communications.
I would finally like to mention and acknowledge the thinking and rigour, both in a policy sense and from a practical implementation viewpoint, of former colleagues who involved me in what I maintain was commentary well ahead of its time on this issue. I want to particularly note the cost-benefit analysis undertaken by Rob Nicholls, on whom is now or very soon to be conferred the title of Dr Nicholls for his outstanding academic contributions to communications and broadcasting. One of Rob Nicholls's most compelling works was his contribution to the fourth workshop on the Social Implications of National Security, entitled 'For what it's worth: cost benefit analysis of the use of interception and access in Australia'. This was not a cost-benefit study of whether or not the interception and access regime in Australia should exist; rather, it was an analysis of the effectiveness of Australia's covert communications law enforcement arrangements with international benchmarking. It examined this on a qualitative basis, in terms of outcomes with privacy rights forgone, and in a quantitative sense—the monetary cost of the regime per conviction. This was able to be analysed thanks to the requirements to publish the Attorney-General's annual report into the interception and access operations that had been conducted in the previous year, 2009.
Rob Nicholls also noted that 2009 was the milestone 30th anniversary of the Telecommunications (Interception and Access) Act—the addition of 'access' in its title being added only a few years ago to accommodate the provisions for access to data rather than limited to real-time voice communications. His analysis included the following salient points. In the period from 1 July 2008 to 30 June 2009, there were more than 3½ thousand warrants for interception and access executed in Australia. By way of background, there is a strict prohibition against interception and access, except in cases of a warrant. The vast majority of these warrants were consistently in relation to drugs offences over the period 2006 to 2009. There was a reasonable level of effectiveness of interception warrants, with a consistently higher than 50 per cent rate of arrest per warrant. Compared to the United States over the period 1 January 2008 to 31 December 2009, the total number of warrants issued in Australia under the regime was slightly over two-thirds of the number in the United States. When one considers that the population of the United States is around 15 times that of Australia, the per capita discrepancy becomes stark. Canada's 2009 figure showed a warrant rate less than Australia's on a per capita basis, as did the United Kingdom.
I believe it would be remiss, not only in a policy sense but also in a legal sense, considering the strict communications-specific privacy requirements set out in part 13 of the Telecommunications Act and the strict prohibition against interception and access to communications without a warrant, not to consider the concerns of privacy advocates and individuals generally in this area. However, at the same time, we must recognise that Australia operates in a global economy, that we are connected to the world by a global network and that international cooperation is the only effective way to combat the incidence and impact of cybercrime for all Australian citizens. I therefore agree with the comments of the Attorney-General and the Minister for Home Affairs and Justice, as stated in their introductions to the bill, on three important points. The Attorney-General stated:
The increasing cyber threat means that no nation alone can effectively overcome this problem and international cooperation is essential.
The Minister for Home Affairs and Justice stated:
Australia must have appropriate arrangements domestically and internationally to be in the best possible position to fight cybercrime and cyber security threats.
He also said this bill:
… is an important step to increasing the powers of Australian investigators to effectively combat cybercrime with increased international cooperation.
I therefore commend the bill to the House.