House debates

Wednesday, 24 August 2011

Bills

Cybercrime Legislation Amendment Bill 2011; Second Reading

10:19 am

Photo of Stuart RobertStuart Robert (Fadden, Liberal Party, Shadow Minister for Defence Science, Technology and Personnel) Share this | | Hansard source

I rise to lend some brief comments on the government's Cybercrime Legislation Amendment Bill 2011. Whilst the coalition broadly support the bill, a range of concerns have been raised that coalition speakers have previously moved through. In its simplest form, the bill seeks to require carriers and carriage service providers to preserve the stored communications and telecommunications data for specified persons when requested by certain domestic agencies; to ensure agencies are able to obtain and disclose telecommunications data and stored communications for the purposes of foreign investigations; and to provide for extraterritorial operation of certain offences. It will amend the computer crime offences in the Criminal Code Act and create confidentiality requirements in relation to authorisations to disclose telecommunications data.

The Joint Select Committee on Cybersafety's review of the bill came up with a range of recommendations in their final report. The committee took the approach of ensuring that thresholds that applied to domestic investigation are equally applied to foreign countries seeking access to Australian communications materials. One of the recommendations is that the Australian Federal Police guidelines on police-to-police cooperation in possible death penalty scenarios be tightened and only occur in exceptional circumstances and with the consent of the relevant ministers—in this case, the Attorney-General and the Minister for Justice and Minister for Home Affairs. A range of recommendations like that have been put forward. Whilst we support the objectives of the bill and are broadly satisfied with the safeguards the Attorney-General has put forward, we remain concerned and will watch with great interest to see if the legislation operates as the Attorney-General intends.

There was a range of submissions to the committee, which complained that the convention did not contain sufficiently robust privacy and civil liberty protections to offset the increased surveillance and information-sharing powers it implements. The powers governing the real-time collection and preservation of computer data were identified as being of some concern. However, powers for mass surveillance, such as wire-tapping and eavesdropping—the black arts—are not enhanced by this legislation because the amendments are limited to telecommunications legislation which still requires the issue of a warrant and does not extend to surveillance devices.

I will make the point that, whilst the coalition broadly support the direction of the bill, we believe that the government must continue to address the issue of cybersecurity not just on a legislative basis but also in terms of our capacity to protect. There is no question that the art of cyberattack is growing and is one of the most pervasive and fastest growing asymmetric means of attack, not only globally but within our region. The Cyber Security Operations Centre, when the then minister—who was two ministers ago; we are now on our third Minister for Defence in four years—launched it in May 2009, was broadly supported, the intent being to maximise the government's ability to detect and rapidly respond to fast-evolving, aggressive cyber attacks. The original funding was something like $14 million. The intent was to have a continually staffed watch office and an analysis team able to respond immediately to cybersecurity threats as they are detected. The new centre was established in DSD, which incidentally possesses its own significant cybersecurity expertise. It would be good if the government would report back on exactly how the Cyber Security Operations Centre is going, how the 24-hour watch is progressing. It would be good to get some statistics on the amount of asymmetric cyber attack the nation is experiencing.

I am concerned, however, that the former head of the defence department's military cyber unit, Tim Scully, has called on the government to 'speed up its response to the emerging cyber arms race', saying more funding is needed for key civilian agencies. Those comments were reported by Dylan Welch, the Sydney Morning Herald's National Security Correspondent. It does bring to the fore the question: is the government doing enough to protect the nation from the threat of cybercrime and to ensure law enforcement agencies and others have access to the legislation they need to be able to do their job?

In terms of the Cybercrime Legislation Amendment Bill, I have taken the Attorney-General at his word that the safeguards are in place and the necessary provisions are indeed there in the legislation for the purposes of law enforcement, among others. But I would stress to the Attorney-General, who is sitting at the table, that we need to continue to stay at the forefront when it comes to cybersecurity and cyberlegislation to be able to defeat the asymmetric attacks that cybercrime and foreign espionage services will use in this space. It is fundamental that Australia maintains a leading technological edge in dealing with cybercrime and the threat it poses to our national security and our national interests.

10:24 am

Photo of Robert McClellandRobert McClelland (Barton, Australian Labor Party, Attorney-General) Share this | | Hansard source

I thank all speakers for their contribution to this debate. I must say I was impressed by the substance of all contributions, and I think that does credit to all those who did speak. Just to address some of the matters raised by the member for Fadden, yes, certainly I can obtain for him some statistics from the Cyber Security Operations Centre. That is actually under the responsibility of the Minister for Defence; nonetheless, it is a multi-agency task force and I will obtain details. In addition, the member for Fadden should be aware of the activities of AusCERT, the Australian Computer Emergency Response Team, based in the Attorney-General's Department. That essentially provides a one-stop shop for businesses and members of the community who have concerns about cybersecurity incidents. In turn, AusCERT can obtain expert advice from the Cyber Security Operations Centre. I would also advise the member for Fadden of the fact that the Australian Security Intelligence Organisation has established at its headquarters a dedicated cybersecurity espionage centre dealing with state-sponsored espionage. More broadly, I refer him and members generally to those matters that may affect our constituents, and I would recommend as a first port of call, at least, the website Stay Smart Online, which is www.staysmartonline.gov.au. The site has reference to a number of useful links in respect of the variety of circumstances that our constituents might confront in the cybersecurity area.

I will comment on a number of other matters that members raised and address those issues, as well as some that have been reported in the media. With Australian families, businesses and governments conducting more and more activities online, cybercrime has already overtaken the drug trade as the most profitable form of crime in the world, and addressing this requires a consistent international framework that deals with the global nature of cybercrime by supporting cooperation between jurisdictions. I would like to acknowledge the outstanding work of all agencies in investigating cybercrime and, in particular, the Australian Federal Police.

In addition, in response to matters honourable members have commented on in the course of the debate—for instance, the member for Richmond, who is at the table, and the member for Canberra in their contributions yesterday—I can report that at a recent meeting of Commonwealth law ministers, represented, I think, by 44 law ministers from around the Commonwealth, we were briefed on an international police operation that smashed the largest child sex abuse case in world history. After three years of investigation into a website entitled boylover.net, police agencies identified some 70,000 persons who were using that site, and the investigations resulted in the rescuing of some 230 children from situations of horrific abuse as well as the successful prosecution of a number of perpetrators. The successful police investigation into this site would not have been possible without cooperation between overseas agencies and their modern, online crime-fighting capabilities—and, I should say, the voluntary cooperation of internet service providers and carriers.

Child abuse is one aspect of cybercrime—unquestionably, its most abhorrent—but there are also other aspects that have the potential to affect any citizen. These include identity theft, online fraud or even using the internet to plan an organised criminal activity in the real world. I note, for instance, that evidence of electronic communication has been a feature of virtually all terrorist prosecutions in Australia.

The Council of Europe's Convention on Cybercrime is in fact the only binding international treaty on cybercrime. It sets out the procedures that support cooperation among its signatories. By acceding to the convention, Australian law enforcement agencies will be able to access and share information necessary to support local and international cybercrime investigations. While many of the convention's obligations are already provided for in Australian law, the bill makes amendments that ensure Australia's full compliance with the convention. This will mark a significant step forward in our efforts to address the growing threat to the Australian community posed by cybercrime and the need to protect the community from internet abuses. For cybercriminals, our accession to the convention will mean that there are fewer places to hide.

The bill has recently been considered by the Joint Select Committee on Cybercrime, which reported to parliament late last week. I note a number of contributors have referred to the report. I would certainly like to thank the committee members for their detailed work on the bill, particularly the chair, Senator Bilyk. I am currently considering the committee's recommendations and will respond in time for the debate to proceed in the Senate. In the meantime, the passage of the bill through the House is a significant step forward and a clear sign to our international colleagues that Australia is committed to pursuing its proposed accession. I appreciate the bipartisan support for that.

Amendments to the Telecommunication (Interception and Access) Act, the interception act, the Mutual Assistance in Criminal Matters Act and the Criminal Code are needed to fully comply with the convention. Under the interception act, state and territory enforcement agencies can apply for a warrant to access communications held by carriers on their networks. However, carriers' business practices differ and they often mean that communications are deleted before agencies have the opportunity to exercise a warrant to obtain access. One carrier, for instance, deletes messages within 24 hours of a message's creation.

Whilst other carriers have voluntarily provided assistance in the past—and I have referred to the international paedophilia law enforcement action—the bill amends the interception act so that an agency can formally require a carrier to preserve stored communications by reference to an individual or telecommunications service. This formality is desirable both from a law enforcement perspective and from the point of view of the service providers and carriers. The approach will mean that computer data, SMS messages, emails and other communications stored by the carrier will remain available while ensuring the interception act remains technologically neutral. Importantly, access to these communications will continue to be and only be available by way of warrant.

The bill will rely on Australia's existing mutual assistance frameworks to enable the improved exchange of stored communications and non-content data to assist in the investigation of certain foreign offences. The grounds for refusal in the mutual assistance act, including dual criminality and a ground to refuse assistance where the request would involve abuse of process or relates to a political offence, will continue to apply to requests for both access to stored communications and for access to prospective telecommunications data. Whilst not including new offences in the Criminal Code, the bill does expand the scope of the Criminal Code so that it can deal with criminal conduct outside of its existing limitations. The Criminal Code already contains saving provisions that ensure the continued operation of state laws in a number of areas. Importantly, the amendments contained in the bill will achieve Australia's full compliance with the cybercrime convention and support our effort to counter cybercrime.

Finally, I would like to take this opportunity to clarify some concerns that have been raised relating to the proposed amendments. I note there have been concerns expressed that the government is going beyond its convention obligations in requiring the broad retention of telecommunications data. The explanatory memorandum clarifies, however, that preserving the contents of a stored communication will also mean that details such as the name and number of the senator or recipient will also be preserved. This is to ensure that a communication can be linked to a person. The bill does not provide for a regime like the European Data Retention Directive where a carrier would be asked to retain information about every phone call, email or other types of communications passing over their networks. I think that point needs to be made.

I note some have expressed concern believing or alleging that the bill does not sufficiently clarify what communications can be preserved and, as a result, it has been asserted that it may permit the preservation of all communications over a network. This is, in fact, incorrect. The reality is that the existing interception act enables warrants in relation to a telecommunications service, that is, a phone number or an email address, not—I repeat not—an entire system. It is important that that point be understood.

In relation to the concerns about the access of information by foreign agencies, it is also worth reiterating that assistance to foreign agencies is subject to the protections of the Mutual Assistance in Criminal Matters Act. This includes grounds for refusal to provide information where it would involve abuse of process or other injustice or would be otherwise contrary to the national interests or national security of Australia. The bill will not add any layers of bureaucracy. In fact, it will aid and improve cooperation between agencies in exchanging this electronic form of information.

The mutual assistance act also includes grounds for refusal relating to the death penalty. The act states that a request for assistance must be refused where a person has been charged with or convicted of a death penalty offence unless there are special circumstances that warrant the provision of assistance—that is, section 8(1A). Also a request may be refused where it may result in the death penalty being imposed on a person: for example, where the request is made at the investigation stage—that is, section 8(1B). Those provisions are administered by me and the Minister for Home Affairs and Minister for Justice on a pretty regular basis. The bill also requires that information provided under the mutual assistance arrangements occurs only if it is used for the purpose for which it is requested and that it is destroyed once it is not necessary for that purpose.

I also point out that significant protections exist to ensure the privacy and integrity of any information while it is preserved. The interception act contains a general prohibition on the use or disclosure of information obtained by telecommunications interception warrant, stored communications warrant or authorisation to disclose telecommunications data. The interception act also contains protections about the existence of telecommunications interception and stored communications warrants. It will be an offence, subject to certain exceptions in the interception act, to use or disclose preserved information or information about preservation notices. In addition to this criminal mechanism, preserved information will also need to be managed in a manner that is consistent with the National Privacy Principles as set out in the Privacy Act. This applies to those provisions bound by the Privacy Act, including to manage the information securely. With respect to this matter, I reiterate that cybercrime is an offence that applies literally right around the world. It can be perpetrated by a computer system sitting in the northern regions of Siberia, to choose an example, as easily as it can be perpetrated by a computer at the next-door neighbour of any citizen. It applies in areas that include, most abhorrently, as I have indicated, the exploitation of children, but its tentacles extend to the daily lives of all citizens, including obviously the issue of identity theft. The figures that have been recently released show that literally every Australian has either some experience or knows someone who has experienced identity theft. Equally, the use of the internet and other electronic communications to perpetrate fraud is a growing element.

In terms of our nation's national interests, research that has been undertaken in the United Kingdom shows that the United Kingdom is losing intellectual property each year via electronic extraction at the rate of about £16 billion. Similar research has not been undertaken in Australia. I commend the bill to the House. (Time expired)

Question agreed to.

Bill read a second time.