Guidelines seek to prevent repeat of ASIC website blocking debacle

Govt consults on limits for website blocking law

Draft guidelines for government agencies on the use of a controversial website blocking law seek to restrict it to only serious offences and to ensure that agencies work to limit the online services disrupted.

However, the guidelines comprise only a collection of recommended good practices for agencies rather than firm restrictions on the law's use. The guidelines will only apply to federal entities, though the document recommends their use by state and territory agencies.

The consultation on use of Section 313 of the Telecommunications Act 1997 comes some three years after the Australian Securities and Investments Commission (ASIC) discovered that its use of the law – under which notices can be issued to ISPs compelling them to block subscriber access to certain website – had erroneously blocked hundreds of thousands of websites.

S313 compels telcos to "give officers and authorities of the Commonwealth and of the States and Territories such help as is reasonably necessary" for "enforcing the criminal law and laws imposing pecuniary penalties", "assisting the enforcement of the criminal laws in force in a foreign country", "protecting the public revenue", and "safeguarding national security".

As a result, a sizeable array of state and federal agencies can potentially employ the mechanism.

When ASIC in early 2013 issued a request for an IP-based block targeting online fraud it effectively rendered inaccessible a number of non-fraud-related websites to some Australians.

In the wake of the incident in March 2013, an internal review by ASIC of the s313 notices it had issued revealed that in one case it had blocked more than 250,000 unrelated websites.

The ASIC incident in mid-2014 triggered a parliamentary inquiry into the use of s313.

That inquiry recommended the development of guidelines on the use of the law.

The draft guidelines advise agencies to limit disruptions to serious criminal or civil matters, or matters involving national security.

As an indicative guide the document says that agencies should consider limiting s313 notices to offences that carry a maximum prison term of at least two years or a financial penalty of $21,600 (120 Commonwealth penalty units).

In addition to a threshold for issuing a website-blocking notice, the guidelines cover five other areas, including ensuring that the use of s313 is restricted to staff with an appropriate level of seniority.

In general, agencies should develop and publish online policies and procedures for disruption requests, the draft guidelines state. At a minimum, agencies should publish on their website that they have the power to issue disruption notices.

Requests to block a service should expire after a specified time, the guidelines state.

“With the transient nature of the internet, agencies should have ‘self-review’ procedures to monitor ongoing disruptions and ensure they remain appropriate,” the document states.

Agencies are also encouraged to publish details of the services they have targeted with s313.

The guidelines state: “Agencies should publish each request and include (wherever practicable and reasonable in the particular circumstance) why the request has been made. Public notification can occur through means such as media releases and online posts.”

“Where appropriate, agencies should provide internet service providers with a generic government ‘stop page’ to be shown to members of the public if they try to access a disrupted site,” the draft states.

Use of the power should be reported to the Australian Communications and Media Authority, which can include statistics on the use of s313 in its annual report.

Agencies should also develop a complaints and review process, the draft states.

“Agencies should review a disruption upon request by an affected party within timeframes consistent with their established complaints and review procedures,” the document says.

"Agencies should contact the relevant carrier or carriage service provider to arrange for the disruption to be lifted if their review reveals that the disruption is no longer appropriate.”

Finally, the guidelines state that agencies “should have the requisite level of technical expertise, or procedures for drawing on the expertise of other agencies or external experts”.

The ASIC debacle took place when the agency requested that ISPs block an IP address. It was later revealed that the organisation had not been aware that more than one website or online service could share use of an IP address.

“When making a request, agencies should endeavour to make it as targeted as possible,” the draft states.

“This usually means requesting that a Uniform Resource Locater (URL)—the specific address of a website—be blocked, rather than Internet Protocol (IP) addresses. IP addresses generally host multiple websites, requests to block these risks disrupting access to non-target websites.”

The Department of Communications is seeking comment on the draft guidelines until 27 May.

Join the Computerworld newsletter!

Error: Please check your email address.

More about Australian Communications and Media AuthorityAustralian Securities and Investments CommissionDepartment of Communications

Show Comments