House debates

Tuesday, 23 August 2011

Bills

Cybercrime Legislation Amendment Bill 2011; Second Reading

8:58 pm

Photo of Paul FletcherPaul Fletcher (Bradfield, Liberal Party) Share this | Hansard source

I am pleased to have the opportunity to speak on the Cybercrime Legislation Amendment Bill 2011. This is a bill which makes amendments to a range of existing acts which collectively give effect to the regulatory regime applying to online criminal activity today and also give effect to the framework for international cooperation between regulatory and enforcement authorities in a range of jurisdictions. For that reason, the bill amends a series of acts, including the Telecommunications (Interception and Access) Act 1979, the Criminal Code Act 1995, the Mutual Assistance in Criminal Matters Act 1987 and the Telecommunications Act 1997. The purpose of the set of amendments made by this bill to all of those acts is to ensure that Australian legislation is compliant with the requirements of the Council of Europe Convention on Cybercrime so that in turn Australia can accede to that convention. Why is it that we as a nation would be concerned by the terms of a convention agreed between a range of European nations? The answer to that question becomes clearer when you look at the substance of the provisions which will be introduced into the various acts that I have mentioned.

Firstly, under these provisions carriers and carriage service providers will be required to preserve the stored communications and telecommunications data for specific persons when they receive a request to do so from certain domestic agencies or from the Australian Federal Police on behalf of certain foreign countries. Secondly, the amendments have the effect that Australian agencies are able to obtain and disclose telecommunications data and stored communications for the purposes of a foreign investigation. Thirdly, the amendments provide for the extraterritorial operation of certain offences in the Telecommunications (Interception and Access) Act. The amendments also expand and amend the computer crime offences in the Criminal Code Act 1995 and create confidentiality obligations for authorisations to disclose telecommunications data.

All of that may sound quite dry, but speaking as a former senior executive at a large telecommunications company I assure you that these are matters which engage the attention of a large number of people in the telecommunications and information technology sectors, as well as the law enforcement and justice authorities. I want to make three key points. My first is that the international nature of cybercrime, reflecting in turn the international nature of the internet, makes this kind of international cooperation essential if authorities in any one country are to join with authorities in other countries to achieve appropriate responses to online criminal activity. The second point is that one of the aspects of this package of legislation is that there are significant operational impacts on telecommunications carriers and internet service providers. I want to highlight my concern that focus needs to be given to allowing these companies sufficient time to implement the new requirements that will be imposed upon them. Thirdly, I point to some of the non-trivial issues of process, fairness and equity of approach which have been highlighted in the very good report of the Joint Select Committee on Cyber-Safety. My view is that we need to see a response from the government on some of these issues.

Let me turn firstly, therefore, to make the point that there is a growing and international threat from cybercrime. I quote the recently departed Chief Executive Officer of the Internet Industry Association, Peter Coroneos, who said:

It is critically important for the future of the internet that we develop globally consistent policies to tackle the spectre of cybercrime and potentially, cyberterrorism.

When he made these remarks, Mr Coroneos talked about the icode model, which has been adopted by the Internet Industry Association, as a private sector response to this threat. He noted that icode is being examined by international organisations like the OECD and APEC. A private sector approach is very much to be encouraged and welcomed, but the nature of this problem is one which requires a comprehensive global approach involving the government as well as the private sector.

Let me also cite some remarks on this topic by US President Obama, speaking on 29 May 2009. He had this to say:

It is the great irony of our information age—the very technologies that empower us to create and to build also empower those who would seek to disrupt and destroy. And this paradox—seen and unseen—is something that we experience every day.

He went on to make the following observations about the American people, but you could replace the word American with Australian or indeed the identity of peoples of any country around the world. He said that tackling the problem of cybercrime was:

… about the privacy and the economic security of American families. We rely on the Internet to pay our bills, to bank, to shop, to file our taxes. But we've had to learn a whole new vocabulary just to stay ahead of the cyber criminals who would do us harm—spyware and malware and spoofing and phishing and botnets. Millions of Americans have been victimized, their privacy violated, their identities stolen, their lives upended, and their wallets emptied. According to one survey, in the past two years alone cyber crime has cost Americans more than $8 billion.

I repeat the point that similar remarks could be made about the peoples of any nation including Australia with perhaps some appropriate scaling down of that particular figure that he quoted. The fundamental point is that cybercrime is international in nature. We have known for more than 15 years that Australia's classification system faces great challenges because pornographic material can be hosted on servers around the world. I might add that the long promised internet filter from Minister Conroy is not a practical or workable solution, as he appears to have in practice conceded by hastening extremely slowly with that particular policy.

We know that criminal gangs in many parts of the world, Russia and many other countries, target consumers all around the world including in Australia. We know that fraudulent activities over the internet emerge from many different parts of the world. Those Nigerian reserve bank emails do not necessarily come from Australia, although I might add they do not necessarily come from Nigeria either. The central point is that international fraudulent and criminal activity over the internet is occurring in many different countries. Accordingly, if we are to find solutions to these problems, there must be cooperation between international authorities. The more that jurisdictions are able to link together so that cybercrime masterminded in one country but affecting victims in another can be effectively pursued the better. That is the underlying purpose of the Council of Europe Convention on Cybercrime.

To return to the question of why it is that Australia would sign up to a convention between European nations, the point is that the title is slightly misleading because so far the convention has also been acceded to by the US, Canada, Japan and South Africa. If this bill passes into law, Australia will also be able to accede to this convention. It is the first international treaty which addresses crimes committed either against or via computer networks and it deals particularly with online fraud, with offences related to child pornography and with the unauthorised access, use or modification of data stored on computers. The principal objective is to pursue a common criminal policy aimed at the protection of society against cybercrime.

I want to briefly turn to the second point I want to highlight this evening which is that the impact of this legislation on telecommunications carriers and internet service providers is significant. Drawing on my previous experience I can observe that the task of compliance with legal and regulatory obligations is a substantial one for carriers and internet service providers. It occupies a substantial amount of time and resources. The law enforcement liaison unit at Optus involves full time some 10 to 15 employees at different times of the year and those of other companies would be of corresponding sizes. The other key point to make is that when the regime changes and the legal obligations applying to carriers and internet service providers change there is a significant lead time in those companies changing their compliance arrangements. To take one specific example in this bill, if you are to impose a requirement to store data on request for up to 180 days that adds complexity and requires additional data storage capacity. That cannot be delivered overnight.

There is a tendency in government to say 'We've passed the law, we've done what needs to be done and the private sector can get on with meeting their legal obligations.' I would highlight the comments made by Telstra in its submission:

… Telstra would also like to express its serious concerns that there is no transitional period allowing C/CSPs the time to:

          in order to be fully compliant with the new legislation.

          I think that is a serious and substantive concern. I urge the government and the appropriate government agencies to be responsive to that point and to allow sufficient time for implementation and to give serious consideration to another point Telstra made—in my view, quite properly—which is that there is an issue of cost recovery here that needs to be dealt with. In other words, I make the point that while the principle underlying this legislation is a sound one and it is a necessary and appropriate mechanism there are some issues of implementation that need to be carefully considered.

          In the brief time remaining to me I will address some of the issues raised by the Joint Select Committee on Cyber-Safety in its excellent report. They are substantive and deserve a considered response from government in the course of this legislation being considered by the House. For example, a concern was raised that the thresholds which apply to the issuing of a stored communication warrant for investigation of a serious foreign offence should be the same thresholds that apply for domestic investigations. There was a concern raised that law enforcement agencies of a foreign country could request information in circumstances where there are not privacy protection measures in place in that foreign country which meet standards that we in Australia would regard as acceptable. The Law Council of Australia argued that while it does not object in principle to assistance between international police forces the ability of Australian law enforcement agencies to share data directly with counterparts overseas should be subject to strict conditions.

          Finally, one of the concerns raised was by state governments noting that this legislation greatly expands the scope of the Commonwealth computer crime offences and raises the question of the impact of this on the existing state legislation. Therefore, while I am a supporter of this legislation in the broad, I make the point that there appear to be some details which ought properly be addressed by this government in the course of taking this legislation through the parliament.

          Comments

          No comments