With the government yet to finalise whole-of-government guidelines for the use by federal agencies of Section 313(3) of the Telecommunications Act to block Australians’ access to websites, the Australian Securities and Investments Commission (ASIC) has moved to develop internal guidelines on its use of the power.
Those guidelines are based on the draft Section 313 guidelines released last year by the Department of Communications and the Arts as part of a public consultation. Section 313(3) of the Telco Act has been employed by government agencies to issue notices to ISPs requesting that they block their customers from accessing particular online services.
The use of the power was thrust into the spotlight after ASIC employed it in March and April 2013 in an attempt to have ISPs block access to websites involved in financial fraud. In that case, the notice issued by ASIC erroneously led to ISPs blocking unrelated online services.
In the wake of the incident, it was revealed that a request by ASIC to block access to an IP address used by a fraud-linked site had inadvertently blocked access to some 250,000 other websites. The agency has not employed the power since 3 April 2013, an ASIC spokesperson said.
The incident highlighted a lack of transparency around the use of s313, including a lack of any obligation for an agency to reveal it had requested a website block and the reason or reasons why.
In July 2014, then communications minister Malcolm Turnbull referred the use of s313(3) to the House of Representatives Standing Committee on Infrastructure and Communications for inquiry. That inquiry rejected calls to reign in the agencies able to employ the power and/or its scope.
Currently, the power can be employed by any Commonwealth, state or federal agency to enforce the criminal law and laws imposing pecuniary penalties; assist the enforcement of the criminal laws in force in a foreign country; protect the public revenue; or safeguard national security.
However, in the wake of the ASIC debacle, the inquiry recommended that the government ensure that agencies that employ the section of the Telco Act “have the requisite level of technical expertise within the agency to carry out such activity, or established procedures for drawing on the expertise of other agencies”.
The other recommendation was that the government develop whole-of-government guidelines for the use of section 313. Agencies would use those guidelines to develop internal policies on the use of s313, including outlining who could authorise a website block, public announcements of blocks where appropriate, and review and appeal processes.
The government accepted both recommendations.
The inquiry’s report was issued in June 2015. On 27 April 2016, the government released draft guidelines on the use of the power as part of a public consultation. Although the consultation concluded a month later, the government is yet to finalise the guidelines.
The government “remains committed to whole-of-government guidelines for the use of Section 313 (3) of the Telecommunications Act 1997,” a spokesperson for the Department of Communications and the Arts told Computerworld.
“The guidelines will be released shortly,” the spokesperson said.
A spokesperson for ASIC said that the organisation is developing guidelines based on the draft released by the department. Last year ASIC said it was still waiting on the government to finalise its s313 guidelines.
The draft guidelines released by the department would not automatically apply to state and territory agencies. They recommend that agencies limit use of the power to serious criminal or civil matters, or matters involving national security.
In addition the draft outlines a range of proposals for the use of s313, including limitations on the duration of a block and the publication where possible and appropriate of what services the agency has issued block requests for, as well as complaint and review processes.
Alongside ASIC, the s313(3) power is only known to have been used by the Australian Federal Police (AFP) and an agency in the Attorney-General’s portfolio (which requested ISPs disrupt access to services as part of counter-terrorism efforts).
The most prolific user of the power is believed to be the AFP, which primarily uses it as part of its Access Limitation Scheme to request ISPs block access to INTERPOL’s ‘Worst of List’ of websites that host child abuse material.
The AFP provides the list to ISPs and relies on them to block access to the named websites, a spokesperson said.
“The number of domains included on the list fluctuates as they are detected and defeated,” an AFP spokesperson said. There were 2021 domains added to the list in 2016, according to the AFP. ISPs have automated access to changes made to the list.
“The AFP believes blocking of this known criminal content is a proactive, disruption strategy which is a positive step in helping to protect children from sexual exploitation and abuse,” the spokesperson said.
“Websites included on the INTERPOL ‘Worst of List’ depict some of the most severe child sexual exploitation material,” the AFP spokesperson added.
The AFP says it uses the section of the Telco Act to request telcos assist it in disrupting illegal online activity where other mechanisms have been (or are likely to be) unsuccessful.
The AFP doesn’t currently compile statistics on its use of the power, but the organisation is known to have also relied on s313 to hinder the spread of malware that sought to obtain the online banking credentials of Australians.