University of New South WalesFaculty of Law - Information Technology Law

C y b e r s p a c e - l a w

`Interception' on the internet - the risks for ISPs

Graham Greenleaf

(Published in (1996) 3 Privacy Law & Policy Reporter 93)

The implications of the Telecommunications (Interception) Act 1979 (Cth) (the `T(I) Act') have received little attention from those interested in cyberspace. The Act poses unexpected potential dangers for internet service providers (ISPs), employers and others who may (intentionally or otherwise) monitor, copy or otherwise deal with communications passing through their facilities.

The types of questions that need to be asked include whether any of the following could constitute illegal interception: (i) monitoring or recording any aspects of content of employees' or clients' e-mail, whether sent or received; or (ii) monitoring or recording the caches of pages browsed by any identifiable individuals, whether on a user's PC, or on any intermediate server.

Frances Wood of AUSTEL has argued recently[1] that the whole area of 'participant recording and monitoring' is unclear and based on outdated assumptions, even in relation to telephone monitoring. The same legislation is even murkier when dealing with cyberspace, and it will only be possible to raise some of the issues here.

Prohibited interceptions

The T(I) Act prohibits interception of 'a communication passing over a telecommunications system' (s7) with certain exceptions. A `communication' includes 'a message' in 'any ... form or combination of forms' (s5), so data can be intercepted, as can any form of multimedia.

'Interception' of 'a communication passing over a telecommunications system' can be by 'listening to or recording[2] by any means' of the communication 'in its passage over[3] that telecommunications system' (s6(1)). The definition of 'telecommunications system' is therefore crucial, as is the question of when has the message finished its `passage over' the system. 'Telecommunications system' is given a very broad definition, to include a `telecommunications network'[4], and specifically 'includes equipment, a line or other facility that is connected to such a network and is within Australia' (all defined as in the Telecommunications Act 1991[5]).

Some implications of these provisions seem to be:

Exceptions to interception

Exceptions or defences to otherwise prohibited interception may arise because of consent, because of s6(2), because of s7(2), or because of the existence of a warrant (not discussed here).

Interception is only an offence where it is `without the knowledge of the person making the communication' (s6(1)). With a telephone conversation, both parties are `making the communication', so the consent of both is required. However, with asynchronous e-mail, http and similar internet facilities, who is `making' the communication at any given time? Perhaps only the sender of e-mail is so doing, but surely it is both parties when a http request is made and replied to. In either case, the mere knowledge (or consent) of an employee or ISP client may be insufficient, so it may be virtually impossible for ISPs, employers etc to protect themselves by obtaining consent. Implied knowledge by the sender might be present in some cases, but not others.

The s6(2) exceptions to interception only apply where interception is done by equipment which is `part of' a service `provided by a carrier' - and other conditions are satisfied. On its face, this terminology reflects outdated assumptions of carrier monopolies, and seems intended to provide exceptions for, say, PABXs or an extension phone, or possibly various types of `call centre' monitoring[7].

However, in the T(I) Act, `carrier' is defined to include `(c) a person who supplies eligible services within the meaning of [the Telecommunications Act] under a class licence issued under section 209 of that Act'. Therefore, the s6(2) exceptions would cover those services provided by ISPs or `self provided', if two conditions are met:

(i) The 'service' intercepted has to be an `eligible service'. ISPs will generally have no problem here, but do employers and others who merely provide a mail server or http proxy cache for `themselves' (eg their employees) provide a `service'? Also, this exception will be of no assistance to those such as some employers providing services that only go over a LAN because they are not eligible services[8].

(ii) The equipment used for the monitoring purpose has to be `part of' the `service' provided.

Under s7(2), it is also a defence, relying upon the same extended definition of `carrier', where an interception is (a) an act or thing done by an employee of a carrier in the course of his or her duties for or in connection with: ... (ii) the operation or maintenance of a telecommunications system; ... where it is reasonably necessary for the employee to do that act or thing in order to perform those duties effectively'. This would appear to provide protection in relation to acts done in relation to the `operation or maintenance' of (physical) networks, but whether it provides protection in relation to acts done in relation to the services provided over those networks (such as running http proxy caches) is less certain. Even then, there will be questions of how much monitoring and recording is `reasonably necessary' `for or in connection with ... operation or maintenance' of a service.

Conclusions and consequences

The possible scope of illegal interception is much broader than most ISPs, employers etc would ever imagine, and is ill-defined. It is possible that the s6(2) exceptions may exempt most possible `interceptions' by ISPs, employers etc in relation to e-mail, caches etc, but the application of these defences is likely to prove complex and uncertain.

The dangers to ISPs, employers and others of falling on the wrong side of an interception offence are considerable. Serious criminal offences are involved[9]. Very damaging publicity is likely, as Telstra found to its cost in the `COT Cases'.

However, a more immediate danger is likely to be civil damages claims under the new s107A, which provides that a party to a communication intercepted in contravention of s7 may sue the person who intercepted the communication, or who has communicated or used the information in contravention of s63. A Court can award such relief as it considers appropriate (ss(4), (5)), including awarding damages (ss(7)) and even punitive damages (ss(10))!

This paper was presented at the IIR `Information Privacy' Conference, August 1996. The concluding part will be in the next issue of PLPR. [1] FrancesWood 'Your telephone calls: recording and monitoring' (1996) 3 PLPR 14

[2] `Recording' is undefined, and interesting questions arise as to whether merely reading data on screen - and therefore causing a transitory copy to be made in RAM, perhaps in a cache, and on screen is `recording' it.

[3] Defined merely to include 'being carried': s5.

[4] "telecommunications network" means a system, or series of systems, for carrying communications by means of guided or unguided electromagnetic energy or both, but does not include a system, or series of systems, for carrying communications solely by means of radiocommunication';

[5] In the Telecommunications Act "equipment" means any apparatus or equipment used, or intended for use, in or in connection with a telecommunications network, but does not include a line;" - 'facility' is even broader.

[6] The issue of when does a communication stop 'passing over' the network will not be pursued here.

[7] see FrancesWood 'Your telephone calls: recording and monitoring' (1996) 3 PLPR 14

[8] Telecommunications Act s18(1): `Subject to this section, a telecommunications service that is supplied by means of: (a) at least one reserved line link; ... is an eligible service'. A reserved line link is between `distinct places'.

[9] s105 provides for two years imprisonment.