Proposed amendments to the Telecommunications (Interception and Access) Act 1979 being rushed to meet a 12 December 2009 deadline could dramatically increase the monitoring of your electronic communications. The window for public comment has already closed – it was open for just three weeks — and the Attorney-General’s Department won’t be publishing the submissions.
On the surface, the exposure draft legislation appears reasonable. It’s about security, says AGD.
Computer networks — and that includes telephone networks — must be tested and monitored to ensure they’re not vulnerable to security risks and can repel attacks. Monitoring is also a normal part of routine maintenance and performance tuning.
Problem is, those routine tasks might inadvertently breach the TIA Act. Some government agencies have been protected by an exemption, but that expires 12 December. The proposed changes to the TIA Act fix that, and extend the coverage to private networks.
An accompanying discussion paper presents two scenarios which working systems administrators will recognise as quite normal.
However watchdog group Electronic Frontiers Australia isn’t so sure.
EFA’s key concern is that the proposed legislation provides too broad an exemption to the ban on interception. It would allow monitoring to see if the network is being “appropriately used”. That’s defined as “in accordance with any conditions specified, in writing, by the person or body who operates the network, or on whose behalf the network is operated” — provided such conditions are an undefined “reasonable”.
“All network operators in Australia will be able to monitor the substance of communications that pass over their network for compliance with their Acceptable Use Policies — the terms of which could include nearly anything,” says EFA Chair, lawyer Nic Suzor.
The EFA’s submission presents scenarios that would result in the bulk of network communication being intercepted.
If a business network prohibits “excessive personal use”, the EFA is concerned that to build evidence the network operator could monitor the contents of all communications that might be non-work related.
“It is unclear why the collection of the contents of such communications must be intercepted, rather than merely noting their existence,” the EFA says.
“Under the proposed legislation, the contents of all personal emails, banking transactions, and other non-work related communications could be stored and disclosed for ‘disciplinary purposes’.”
If an AUP prohibits using peer-to-peer (P2P) file sharing for copyright infringement, the network operator would be able to monitor all P2P use, since you can only determine if it’s infringing once you know what it is.
“It seriously imposes on the privacy of network users who are using legitimate file-sharing protocols for non-infringing activity,” the EFA says.
The EFA has asked for the legislation to limit the allowed intercepts to a clear set of defined purposes and parties.
Proposed changes to intercept laws are bound to attract submissions from intelligence and police services. Any classified submissions should, obviously, stay classified. But given the Rudd government’s supposed commitment to transparency, why can’t the rest be published?
“It would be inappropriate to publish submissions as it is possible that they contain commercial and operationally sensitive information,” an AGD spokeswoman told Crikey.
“A short public consultation period was considered appropriate to ensure comments received through the public consultation period could be taken into account and changes made where necessary.”