spacer
Australian Government Solicitor

 

    View the AGS Twitter account    Visit the AGS YouTube channel     Visit the AGS LinkedIn page
Commercial notes  

Follow us on Twitter


Commercial Notes

No. 20
19 September 2006

Recent developments in telecommunications interception and access law

Andrew Schatz

Andrew Schatz Senior Lawyer
T 08 8205 4201 F 08 8205 4499
andrew.schatz@ags.gov.au

This note discusses the amendments to the Telecommunications (Interception) Act 1979 (Cth) (the TI Act) introduced by the Telecommunications (Interception) Amendment Act 2006 (Cth) (the Amending Act). It also analyses the new telecommunications interception and access regime and its implications for employers and network administrators.

Parliament’s primary concern in passing the Amending Act was to strike the right balance between empowering law enforcement agencies and protecting the privacy of personal communications during their passage over telecommunications systems.1 According to the Explanatory Memorandum to the Amending Act (the EM), the telecommunications interception regime is intended to protect the privacy of personal communications by generally prohibiting the interception of communications, subject to certain limited exceptions where privacy is outweighed by other considerations.2 Australian courts have also referred to this privacy objective on a number of occasions.3

The Amending Act amends the TI Act to implement certain recommendations of the Report of the Review of the Regulation of Access to Communications prepared by Anthony Blunn AO (the Blunn Report). Mr Blunn was asked to review policy options for the regulation of access to telecommunications, with a particular emphasis on new and emerging telecommunications technologies. The resulting report, which is the fifth major report dealing with telecommunications interception legislation since 1994, was presented to Parliament on 14 September 2005.

It is also worth noting by way of introduction that the name of the TI Act changed to the Telecommunications (Interception and Access) Act 1979 (Cth) (the TIA Act) on 13 June 2006. The new title better reflects the fact that while the TIA Act continues to govern the interception of telecommunications in Australia, it also establishes a warrant regime for enforcement agencies to access ‘stored communications’ held by telecommunications carriers.4

The principal amendments

The principal amendments introduced by the Amending Act:

  • establish a regime to govern access to ‘stored communications’ held by telecommunications carriers (Schedule 1) (the Stored Communications Amendments)
  • enable the interception of communications of persons known to communicate with a ‘person of interest’ in certain limited circumstances (Schedule 2)
  • enable interception of telecommunications services on the basis of the use of a telecommunications device in certain limited circumstances (Schedule 3)
  • remove the distinction between class 1 and class 2 offences for which telecommunications interception powers are conferred on law enforcement agencies (Schedule 4)
  • remove the Telecommunications Interception Remote Authority Connection function currently exercised by the Australian Federal Police and transfer the associated warrant register function to the Commonwealth Attorney-General’s Department (Schedule 5).

This note focuses on the Stored Communications Amendments (Schedule 1), which commenced on 13 June 2006. The Stored Communications Amendments are of particular relevance to employers and network administrators who are responsible for operating and maintaining computer networks with Internet and email facilities. This is because accessing, monitoring and/or recording email and Internet communications are an essential part of many filtering, quarantining, archiving, disaster recovery and professional standards related practices.5 Accordingly, any laws restricting the extent to which communications can be accessed or recorded are likely to have an impact on the capacity of employers and network administrators to maintain and protect their computer networks against damage or misuse.

The new meaning of the term ‘stored communications’

The Stored Communications Amendments are intended to preserve the distinction between accessing stored communications and intercepting real-time communications as recommended in the Blunn Report (see the EM at p. 4). However, the previous definition of stored communications inserted at s 7(3A) of the TI Act by the Telecommunications (Interception) Amendment (Stored Communications) Act 2004 (Cth) (the Stored Communications Act)6 has been replaced by the following definition (at s 5(1) of the TIA Act):

stored communication means a communication that:

(a) is not passing over a telecommunications system; and

(b) is held on equipment that is operated by, and is in the possession of, a carrier; and

(c) cannot be accessed on that equipment, by a person who is not a party to the communication, without the assistance of an employee of the carrier.

Accordingly, the term ‘stored communications’ no longer applies to all communications stored in any form other than on a ‘highly transitory basis’ and the new prohibition on ‘accessing stored communications’ only applies to communications that are accessed via a telecommunications carrier. According to the EM (at pp. 4–5), this limitation expressly recognises the ability of enforcement agencies to continue using lawful access arrangements to access communications stored on devices that are accessible without the assistance of a telecommunications carrier (e.g. through production by consent, a search warrant or a notice to produce).

The EM (at p. 6) and the Supplementary Explanatory Memorandum (the Supplementary EM – at p. 3) summarise the application of the new telecommunications interception and access regime as follows:

  • communications that are ‘passing over a telecommunications system’ remain subject to the general prohibition on interception (s 7 of the TIA Act)
  • communications that are ‘stored communications’ are subject to the new prohibition on accessing stored communications (s 108 of the TIA Act)
  • communications that are not passing over a telecommunications system and are not ‘stored communications’ (because they are not accessed via a telecommunications carrier) remain subject to general principles of lawful access including consent, general search warrants and notices to produce.

There is no specific reference in the EM, the Supplementary EM or the second reading speech to the ability of employers or network administrators to access communications held on equipment they possess and operate. However, by implication, the new provisions of the TIA Act permit employers and network administrators to lawfully access and record communications held on equipment they possess and operate at any time except when the communications are ‘passing over a telecommunications system’.

The new ‘stored communications warrant’ regime

Chapter 3 of the TIA Act establishes the general prohibition on accessing ‘stored communications’ subject to certain limited exceptions. Section 108(1) of the TIA Act states that a person commits an offence (punishable by a penalty including imprisonment up to 2 years) if:

(a) the person:

(i) accesses a stored communication; or

(ii) authorises, suffers or permits another person to access a stored communication; or

(iii) does any act or thing that will enable the person or another person to access a stored communication; and

(b) the person does so with the knowledge of neither of the following:

(i) the intended recipient of the stored communication;

(ii) the person who sent the stored communication.

However, s 108(2) of the TIA Act provides, among other things, that s 108(1) does not apply to:

(a) accessing a stored communication under a stored communications warrant; or

(b) accessing a stored communication under an interception warrant.

A number of concerns were raised about the new stored communications warrant regime during the relevant Parliamentary debates and Senate Committee consideration, including the lower threshold for, and broader access to, stored communications warrants compared to telecommunications interception warrants.7 However, the government responded by emphasising the higher threshold for stored communications warrants compared to standard search warrants, as well as the additional record keeping and reporting requirements introduced to promote accountability.8

The difference between ‘accessing’ and ‘intercepting’

Section 6AA of the TIA Act defines the term ‘accessing a stored communication’ to mean:

… listening to, reading or recording such a communication, by means of equipment operated by a carrier, without the knowledge of the intended recipient of the communication.

By comparison, s 6(1) of the TIA Act retains the following TI Act definition of ‘intercepting a communication passing over a telecommunications system’:

… listening to or recording, by any means, such a communication in its passage over that telecommunications system without the knowledge of the person making the communication.

While the new definition of ‘accessing a stored communication’ includes ‘reading’, the unchanged definition of ‘intercepting a communication passing over a telecommunications system’ does not. However, the distinction may be of little consequence given the impracticality of reading a communication passing over a telecommunications system without creating a copy.9

It is also worth noting that the two definitions differ in terms of whose knowledge matters for the purpose of determining whether or not the interception or accessing is unlawful. Section 108(1)(b) of the TIA Act only prohibits accessing a stored communication with ‘… the knowledge of neither of the following’:

(i) the intended recipient of the stored communication;

(ii) the person who sent the stored communication.

Accordingly, s 108(1)(b) permits lawful access to stored communications without a warrant provided the sender, or the intended recipient, or both of those parties, know in advance that the stored communications will be accessed.10 However, Parliament did not equally limit the general prohibition on interception of communications, and notification of the person making the communication is required to avoid unlawful interception. This may continue to prove problematic given the impracticality of notifying all potential senders of communications in advance that their communications may be intercepted while in transit.11

The new concept of ‘passing over a telecommunications system’

The Stored Communications Amendments are intended to clarify when a communication is ‘passing over a telecommunications system’ principally for the purposes of the prohibition on intercepting such communications in s 7.12

To that end, s 5F(1) of the TIA Act states that a communication:

(a) is taken to start passing over a telecommunications system when it is sent or transmitted by the person sending the communication; and

(b) is taken to continue to pass over the system until it becomes accessible to the intended recipient of the communication.

However, s 5F(2) alters the position with respect to communications sent from addresses on computer networks operated by or on behalf of the Australian Federal Police (the AFP) for a period of two years from 13 June 2006. Such communications are not taken to start passing over a telecommunications system for the purposes of the TIA Act until they are no longer under the control of any of the following:

(a) any AFP employee responsible for operating, protecting and maintaining the network;

(b) any AFP employee responsible for enforcement of the Professional Standards of the Australian Federal Police.

The references to ‘operating, protecting and maintaining the network’ and ‘enforcement of the Professional Standards of the Australian Federal Police’ recognise the operational difficulties that could arise if the AFP and its network administrators were unable to lawfully access (or intercept) a communication sent from a telecommunications device within an AFP computer network before the relevant communication reached its network boundary (the gateway). In fact, the Supplementary EM states (at p. 3) that the insertion of s 5F(2):

... will enable lawful access to those communications for the AFP within the AFP network boundary.

However, while the AFP has been given the right to lawfully access and record outgoing communications at or prior to its gateway for operational, security, maintenance and professional standards purposes, a similar right has not been extended to employers and network administrators more generally. Accordingly, all organisations should review their network administration policies and practices to ensure they do not authorise or engage in behaviour that is unlawful under the new telecommunications interception and access regime.

In particular, if there is a need to access or copy outgoing communications at or prior to a gateway, then organisations should ensure their employees and other network users are adequately informed in advance. Carefully drafted and promulgated policy documents will help, but regular reinforcement through online screen prompts and user training sessions may also be required.13

Determining when a communication is ‘accessible to its intended recipient’

It is necessary to consider when a particular communication becomes ‘accessible to its intended recipient’ to determine whether it is ‘passing over a telecommunications system’. To that end, s 5H(1) provides that a communication is accessible to its intended recipient if it:

(a) has been received by the telecommunications service provided to the intended recipient; or

(b) is under the control of the intended recipient; or

(c) has been delivered to the telecommunications service provided to the intended recipient.

The application of s 5H(1) is fairly straightforward with respect to clearly defined telecommunications services provided by carriers such as home dial-up Internet and email services. However, the position is more complicated with respect to communications sent to intended recipients at electronic addresses on corporate computer networks (e.g. the work email address of an employee of a business or government agency).

On one view of the matter, the ‘telecommunications service’ provided in such a case could constitute the entire network that enables the intended recipient to access communications passing over external telecommunications systems operated by telecommunications carriers (i.e. all lines and equipment comprising the telecommunications network from the gateway to the relevant telecommunications device used by the intended recipient). On this view, all incoming communications would cease passing over the relevant telecommunications system at the gateway of the relevant destination network. Accordingly, the communications would no longer be subject to the general interception prohibition and the organisation or administrator responsible for operating the network could lawfully access and record the incoming communications at the gateway.

However, it is possible that a court may consider that allowing organisations to intercept communications at the gateway to a computer network would contravene the privacy objectives of the TIA Act,14 particularly in view of the provisions set out in s 5G (as discussed directly below).

Identifying the ‘intended recipient’ of a communication

Section 5G(1) of the TIA Act defines the term ‘intended recipient’ as follows:

(a) if the communication is addressed to an individual (either in the individual’s own capacity or in the capacity of an employee or agent of another person)—the individual; or

(b) if the communication is addressed to a person who is not an individual—the person; or

(c) if the communication is not addressed to a person—the person who has, or whose employee or agent has, control over the telecommunications service to which the communication is sent.

Accordingly, in the case of a communication sent to the electronic address of an employee or other user on a corporate network, the TIA Act provides that the communication continues to pass over the telecommunications system until it becomes ‘accessible to’ the individual user to whom the relevant communication is addressed (see the EM at p. 6).

In addition, s 5G(2) of the TIA Act was inserted to provide a specific definition of ‘intended recipient’ for communications sent to an electronic address on a computer network operated by or on behalf of the AFP. The Supplementary EM (at p. 4) explains the effect of the new s 5G(2) in relation to the AFP as follows [emphasis added]:

The effect of the amendment will be to enable the AFP to intercept (copy) all e-mail communications received at the AFP network boundary before they are received by the individual intended recipient. Unlike all other organisa-tions, the AFP will therefore be able to access these communications without warrant before they are received by the intended recipient. This is to ensure the maintenance of the AFP’s Professional Standards.

All other organisations will be prohibited from accessing stored communications without a warrant until such time as they are received by the intended recipient, thereby ensuring that only communications that have been deliv-ered to, are under the control of, or are accessible by the intended recipient may be accessed without warrant.

The extracted portion of the Supplementary EM is difficult to reconcile in some respects with the actual wording of s 5G(2) of the TIA Act.15 However, the provisions themselves, and the EM, suggest that communications continue to ‘pass over a telecommunications system’ until they are able to be physically accessed by their intended individual recipient, within a corporate network. It is not necessary that the intended individual recipient actually accesses the communication for it to complete its passage. However, it appears that an incoming email sent to an individual user on a corporate network would only complete its passage over the telecommunications system when it arrives at the destination mail server and is able to be accessed by its intended recipient.

The AFP’s special rights to lawfully access and record incoming communications at its gateway appear intended to complement the legislative reforms introduced by the Law Enforcement (AFP Professional Standards and Related Measures) Act 2006 (Cth) which received Royal Assent on 30 June 2006.16 The government is also aware of the conflict between the general prohibition against interception of communications and the need to allow other organisations and network administrators to lawfully access and record communications passing over their computer networks.17 Accordingly, the current provisions may be an interim measure as the government works towards a long-term solution to the conflict between the general interception prohibition and the operational needs of employers and network administrators.18

Further amendments to the TIA Act may be made during Parliament’s 2006 spring sittings.19 However, in the meantime, it is important that all employers and network administrators understand that the amendments introduced by the Stored Communications Act on 14 December 2004 are no longer effective. As a result, all organisations should review their IT security and acceptable use policies as well as their network administration practices to ensure they do not authorise or engage in behaviour that is unlawful under the new telecommunications interception and access regime.

Concluding remarks

Given Parliament’s primary concern of striking the right balance between empowering law enforcement agencies and protecting the privacy of personal communications, it is perhaps unsurprising that the operational needs of employers and network administrators have not been specifically addressed. The government’s long-term solution to the conflict between the general interception prohibition and lawful access rights for the purpose of network administration will continue to develop. Whilst it does so, organisations should continue to review their policies and practices at regular intervals to account for the ongoing changes in communications technology and the laws that govern it.

Andrew Schatz is the national leader of AGS’s Media and Communications Network. He has extensive knowledge of technology related legal issues and has advised a number of agencies regarding their IT security and acceptable use policies. Andrew has degrees in both law and computer science and has specialist expertise with commercial electronic messaging.

Notes

  1. See the Explanatory Memorandum to the Amending Act at p. 9 and the Hon. Philip Ruddock MP, Attorney-General, House of Representatives Hansard, 16 February 2006, at p. 10.
  2. See the EM at p. 9.
  3. Edelsten v Investigating Committee of New South Wales (1986) 7 NSWLR 222 at p. 229 (Lee J); R v Edelsten (1990) 21 NSWLR 542 at p. 548 (CCA); T v Medical Board (SA) (1992) 58 SASR 382 at p. 398 (Matheson J; Debelle J agreeing); Green v The Queen (1996) 124 FLR 423 at p. 432 (Franklyn J; Pidgeon and Rowland JJ agreeing).
  4. The Hon. Philip Ruddock MP, Attorney-General, House of Representatives Hansard, 16 February 2006, at pp. 7–8.
  5. See AGS Commercial Notes No. 13 (8 February 2005) for further examples of circumstances where network administrators may require access to email and Internet communications passing over their networks.
  6. AGS Commercial Notes No. 13 (8 February 2005).
  7. House of Representatives Hansard for: 28 February 2006 at pp. 95–96 (per Duncan Kerr MP), 1 March 2006 at p. 2 (per Peter Garrett MP) and at pp. 8–9 (per Daryl Melham MP); Senate Hansard for 28 March 2006 at pp. 85–86 (per Senator Natasha Stott Despoja).
  8. See the House of Representatives Hansard for 1 March 2006 at pp. 12,14 (per the Hon. Philip Ruddock MP, Attorney-General) and the Senate Hansard for 28 March 2006 at pp. 93, 124 (per Senator the Hon. Chris Ellison, Minister for Justice and Customs).
  9. The act of opening and viewing an email on a computer monitor usually involves the automatic creation of a ‘pagefile’ record of all or part of the email which can be subsequently retrieved and viewed until such time as it is ‘written over’.
  10. Senate Hansard, 29 March 2006, at pp. 131–132 and 30 March 2006, at pp. 2–4 (per Senator the Hon. Chris Ellison, Senator Joe Ludwig and Senator Natasha Stott Despoja).
  11. See AGS Commercial Notes No. 13 (8 February 2005) at p.2.
  12. See the EM at p. 6 and the Supplementary EM at p. 3.
  13. See AGS Commercial Notes No. 13 (8 February 2005) at p. 6 for an action checklist setting out some of the issues to be considered during any such policy review.
  14. See footnote 4 above and also p. 9 of the EM.
  15. The extracted text twice refers to organisations other than the AFP being unable to access communications without a warrant ‘… before they are received by the intended recipient’. However, an ordinary reading of the provisions suggests that a more accurate explanation would be: ‘All other organisations will be prohibited from intercepting incoming communications before they become accessible to their intended recipient’.
  16. Senate Hansard, 29 March 2006, at pp. 125–129 (per Senator the Hon. Chris Ellison, Senator Joe Ludwig and Senator Natasha Stott Despoja). In particular, see Senator Ellison’s comments on p. 126.
  17. Senate Hansard, 29 March 2006, at pp. 125–126 (per Senator the Hon. Chris Ellison).
  18. See the preceding footnote and also p. 4 of the Supplementary EM.
  19. Senate Hansard, 28 March 2006, at pp. 93, 117 (per Senator the Hon. Chris Ellison.)

Checklist for clients

Ensure your policies and practices:

  • don't endorse unlawful practices
  • keep up with changing laws and technology.

Keep staff/users informed through:

  • carefully drafted policies
  • training sessions and screen prompts
  • alerts on access or recording practices
  • watching for AGS updates.

Seek advice before accessing or recording any incoming communications before they can be accessed by their intended recipients.

Be aware that many popular spam and virus filtering software products record incoming communications as part of the filtering process.

AGS contacts

AGS has a national team of lawyers specialising in communications law. For legal advice please contact Andrew Schatz of our Adelaide office on tel: 08 8205 4201, email andrew.schatz@ags.gov.au, or Robert Orr QC of our Canberra office on tel: 02 6253 7129, email robert.orr@ags.gov.au or any of the lawyers listed below.

Canberra

Jake Blight

02 6253 7035

Sydney

John Berg

02 9581 7624

Melbourne

Jeff Cranston

03 9242 1367

Brisbane

Martin Hanson

07 3360 5643

Perth

Justin Jones

08 9268 1125

Adelaide/Darwin

Andrew Schatz

08 8205 4201

Hobart

Peter Bowen

03 6220 5474


ISSN 1443-9549 (Print)
ISSN 2204-6550 (Online)

For enquiries regarding supply of issues, change of address details etc.
T 02 6253 7052 F 02 6253 7313 E ags@ags.gov.au

The material in these notes is provided to AGS clients for general information only and should not be relied upon for the purpose of a particular matter. Please contact AGS before any action or decision is taken on the basis of any of the material in these notes.