Introduction Public consultation and debate on telecommunications privacy issues, and the institutional framework Sanctions and enforcement Part 1: Access to information under the Telecommunications Act 1997 Content or substance of communications Part 2: Interception of communications under the Telecommunications (Interception) Act 1979 Interception capability Interception Rules and Safeguards Unauthorised interception
[Unpublished paper, May 200. Please do not quote without prior consultation.]
Like most countries, Australia is still in transition from a monopoly
state owned telco to a deregulated and competitive telecommunications industry.
Telecommunications Act 1997 represents the most recent phase
of successive governments attempts to achieve this transition, whilst at
the same time maintaining a range of accountability safeguards, standards,
and customer service obligations.
Australian legislative developments need to be seen in the context of
government attempts to privatise the dominant government owned carrier
- Telstra. To date, opposition parties have blocked full privatization
- two public floats have taken private ownership to 49%.
The initial corporatisation of Telstra in 1992 - a necessary pre-requisite
for privatization, had the effect of removing Telstra from the coverage
of the federal Privacy Act 1988. However, public pressure forced the then
government to retain the application of the Freedom of Information Act
and Telstra has continued to be required to grant individuals access and
correction rights to personal information.
The 1997 Act introduced a system of co-regulation - carriers and carriage
service providers (CSPs) (the two main classes of industry participants)
are required to support an industry forum to develop standards and codes
of practice for a wide variety of technical operational matters, and to
subscribe to an industry dispute resolution scheme - the Telecommunications
Industry Ombudsman (TIO).
The industry forum established by the participants is the Australian Communications
Industry Forum (ACIF)
which was given a statutory duty to develop codes of practice on privacy
The 1997 Act retained and developed the provisions of the 1991 Act relating to confidentiality and disclosure of information, which to a large extent mirrored the use and disclosure principles of the Privacy Act. Part 13 of the Act is a detailed regime of permitted uses and disclosures, as exceptions to a general duty of confidentiality. It is balanced by the next Part - 14 - which imposes a statutory duty on carriers and carriage service providers to assist government agencies where necessary for law enforcement and revenue protection and safeguarding national security.
The interaction of Parts 13 & 14 of the Telecommunications Act
1997 governs the access by government agencies to all types of information
held by carriers and carriage service providers except the `content
or substance' of communications, access to which is separately regulated
Telecommunications (Interception) Act 1979 (see Part 2 below).
The types of information clearly subject to the disclosure regime in the
1997 Act include customer related information such as subscriber details,
call charge records, reverse call records, IMEI checks and cell dumps;
call tracing; and the affairs or personal particulars (including any unlisted
telephone number or any address) of another person.
Telecommunications is unusual as a sector in having relatively well
funded consumer bodies - originally set up and supported by the government
monopoly carrier Telstra and continued through joint industry funding for
the Consumers Telecommunications Network (CTN),
which participates in most of the working committees of the new industry
forum ACIF as well as lobbying government.
In the early 1990s the federal Privacy Commissioner, who then had jurisdiction over Telstra, took some interest in telecommunications privacy issues - including ruling on applications from Telstra for a waiver from the disclosure principle. The Industry Regulator established under the 1991 Telecommunications Act - AUSTEL - also saw privacy as a significant and growing issue and set up an Inquiry into a range of privacy issues. This Inquiry held public meetings around the country, in which the Privacy Commissioner's office participated and invited submissions on a discussion paper. The final report of the AUSTEL Privacy Inquiry in 1992 identified a range of important issues. As a result of the report, the then Minister for Communications asked AUSTEL in 1994 to set up a Privacy Advisory Committee to consider specific issues. One of these was calling number display (CND), and the Advisory Committee published a report in January 1996.
The successor to AUSTEL under the 1997 Act is the Australian Communications
Authority (ACA). In accordance with the government's preference for self-regulation
- embodied in the 1997 Act - the ACA has not taken any specific initiatives
on Privacy, but has participated in the ACIF working parties which have
developed codes of practice on the Protection of Customer Personal Information,
and on Calling Number Display.
The former code does little more than repeat the principles in the federal
Privacy Act, but in a telecommunications specific context and language
(including the disclosure regime outlined in Part 1 of this paper. The
CND Code attempts to regulate the secondary uses of calling line identification
(CLI) both by carriers and CSPs and by other organizations - mainly by
giving telecommunications subscribers a choice of per-call and per-line
opt-out from having their CLI available for capture and display by call
recipients. The ACIF process involves a round of public consultation, and
this took place in 1999-2000 for both of the privacy codes.
The ACA has exercised its discretion under the Act to register both
the Customer Personal Information and CND Codes. This has the effect of
making them mandatory and binding on carriers and CSPs (The organizational
use Guidelines in the CND Code are to be enforced through contractual arrangements
between the carriers and clients).
A number of other ACIF Codes have important privacy implications. They include:
Some breaches of the Customer Personal Information Code or the (draft) Assistance to Agencies Code are quite likely to also be breaches of the prohibition on disclosure in Part 13 of the Telecommunications Act and these could be criminal offences under s.276-278 - punishable by up to 2 years imprisonment. They could also, from December 2001, be breaches of the National Privacy Principles in the Privacy Act 1988, for which the Privacy Commissioner can investigate and make determinations, including an award of compensation where appropriate. It may be however, that the telecommunications industry applies for registration of their existing (or a revised version of) Customer Personal Information Code, in which case it would become the standard against which Privacy Act compliance would be judged, either by the TIO (if approved as a Code Adjudicator) or by the Privacy Commissioner.
The Act allows disclosure of otherwise confidential information where that disclosure is `reasonably necessary' for one of the following purposes:
(b) the Organisation may assess whether the requested disclosure from an Agency is reasonably necessary for [one of the specified] purposes. (s.282 (1) or (2).
Disclosures for the first two purposes can be made to any agency of an Australian government, but for the third purpose only to the intelligence agency ASIO (under the separate section 283). However, disclosures under s.282 (3)-(5) - in response to a certificate - can only be made to `enforcement' agencies on a prescribed list.
Provided a disclosure meets the three tests of reasonable necessity,
prescribed purpose and prescribed recipient agency, the disclosing organization
is exempt from the prohibition in Part 13 of the Act (which is modeled
on the non-disclosure principle in the Privacy Act 1988). Part 13, like
the Privacy Act principle, provides separately for other permitted disclosures,
including where the disclosure is required by law (such as under a a judicial
warrant or court sub-poena) or in emergency life threatening situations.
There are detailed criteria set out in the Act for the form and processes
for issue of certificates under s.282 (3)-(5), and these are supplemented
by written requirements issued by the ACA in December 1998.
The Act also imposes record-keeping requirements on carriers and carriage
service providers (s.306), and the federal Privacy Commissioner has a statutory
role in monitoring procedural compliance with those requirements (s.309).
A major cause for concern to privacy advocates has been the failure
of any of the authorities to give advice that would encourage the use of
the certificate process, which at least has some procedural safeguards,
as opposed to more informal requests under s.282 (1) and (2).
More generally, there is concern from a privacy perspective about the
whole structure of the access regime. Section 313 creates a presumption
in favour of co-operation with agencies - something which does not apply
to any other private sector organisations. Privacy advocates have argued
consistently over the last decade that this is the reverse of the desirable
situation. They argue that because communications are inherently more sensitive
than many other types of behaviour (and linked closely to values such as
freedom of speech and association), information about them should be protected,
even against state intrusion, to a higher, rather than a lesser standard.
This applies especially to call charge or billing records, which can reveal
a considerable amount about an individuals' communications, and yet do
not receive any greater protection than relatively innocuous data such
as subscribers' names.
There are currently no statutory requirements for telecommunications
providers to keep particular types of records for specific periods of time
to assist law enforcement, although such a requirement has been debated
in the ACIF Code working committees and it is understood that some carriers
may be complying informally with requests from agencies to keep records
for longer than they would need for their own purposes. A principle that
personal information should be kept for no longer than necessary for any
legitimate purpose is already included in the ACIF Customer Personal Information
Code which is binding on all carriers and CSPs.
It is important to recognize, as already stated above, that telecommunications providers continue to be subject to the standard processes whereby information can be `required by law' by government agencies (and others) such as the execution of search warrants, court sob-poenas and a range of statutory `orders' from specific agencies such as the Australian Taxation Office, Commonwealth welfare agencies, and various State regulators. The Telecommunications Act and Privacy Codes all provide an exception that does not prevent providers from complying with such demands.
From time to time, the debate over privacy of telecommunications has
achieved a wider exposure. The most recent example was in February 2001
when the Opposition in federal parliament asked questions about the total
volume of disclosures to government agencies under the Telecommunications
Act. The revelation that there were nearly 1 million separate disclosures
by telcos in 1999-2000 (a more than 12% increase on the previous year),
while not news to anyone who has followed the issue more closely, attracted
some media attention.
The significance of this latter limitation lies in the fact that the
`content or substance' exception only relates to the certificate option
for disclosure (s.282 (3)-(5)), and not to the option where the carrier
or provider discloses on the basis of its own assessment of `reasonable
necessity' (s.282 (1) or (2)).
Normal principles of statutory interpretation could be used to argue
that because both the certificate provisions and the Telecommunications
(Interception) Act clearly deal with the issue of content, it cannot have
been intended that s.282 (1) and (2) should provide a loophole with lesser
safeguards. However, the drafters of the ACIF Code on Assistance to Agencies,
being finalised in April 2001, have declined to give guidance to this effect,
confining themselves to the following statements:
2.7.2 Subsections 282(1) and 282(2) may authorise disclosure of content and substance. In view of the sensitive nature of the disclosure where content and substance are involved it would be prudent for Organisations to obtain legal advice.
2.7.3 This means that an Organisation cannot rely on section 282 to disclose information concerning the content of substance of a communication to an Agency. Although the disclosure of that information may be authorised under section 280 of the Act (if a warrant has been obtained), the Organisation should ensure that any disclosure complies with the provisions of the Telecommunications (Interception) Act 1979(Cth) or the relevant State's or Territory's Listening Deviceslegislation........
2.7.5 Carriers and Service Providers may have to make judgements as to what constitutes the contents or substance of information or a document in relation to particular technologies, especially store-and-forward technologies such as stored voicemail, e-mail, or paging messages.The other ambiguity about the scope of the `content or substance' exception concerns whether it applies to stored communications, such as email, pager or SMS messages or calls recorded in an answering service or messagebank. At what point are such messages or calls deemed to have been `delivered' for the purposes of the exception? - when it has been posted to a user's `mailbox' or message bank? or only when read? It would seem clear that once a user has accessed or read such a stored message it loses the protection of the `content or substance' exception even if the user chooses to leave it temporarily in the carrier/CSPs storage device. Even without resolving the other ambiguity this means that there is at least one category of `content' - stored messages after they have been read - which is subject to the Telecommunications Act regime rather than the stricter Telecommunications (Interception) Act.
The interception requirements were subsequently standardised in conformity
with an international agreement
- and the obligation carried forward into the Telecommunications Act
1997. As a result of an amendment in late 1997, Part 15 of the new
Telecommunications Act 1997 now requires both carriers and carriage service
providers to ensure that both networks and facilities are able to allow
interception in accordance with a warrant issued under the Telecommunications
(Interception) Act 1979. It also requires carriers and some nominated
carriage service providers to notify the Australian Communications Authority
(ACA) of any technological changes that may affect the interception capability,
and provides for them to prepare and lodge annual interception capability
plans with the Attorney-General.
There was for a while some doubt about the application of the Part 15
interception capability requirement to encrypted content. This was clarified
in 1998 by an official of the Attorney-General's Department:
"Yes, the changes do require carriers and service providers to provide an interception capability. And yes this could include the ability to decrypt messages which may have been encrypted by the carrieror service provider as part of the normal operation of the service. It does not, however, require carriers or service providers to decrypt traffic which has been encrypted by customers before being carried over the network." (emphasis in the original)A related development was the effective prohibition of the issue of 'anonymous' pre-paid SIM cards for digital mobile phones. For a period until 1997, it was possible to purchase a SIM card for cash and use it in a mobile phone with no record being made or kept of the purchaser's identity. In another largely unnoticed policy response, the law enforcement community prevailed on the ACA to issue a direction to carriers to require proof of identity from people buying pre-paid SIM cards. Privacy advocates submitted that had there been a proper public debate about this change, someone might have questioned the value to law enforcement agencies of information about the purchaser, who need bear little if any relationship to the eventual user. They suggested that this measure appeared to be yet another 'just in case' extension of surveillance without adequate justification for the collection of detailed identity details about thousands of individual customers.
Separate legislation provides for interception warrants to be obtained
by the intelligence agency ASIO, but these warrants are issued by the Attorney-General
- a government minister.
The ASIO legislation provides for emergency warrants to be issued by the
Director-General of the agency itself subject to subsequent ratification
by the Minister. In contrast, the general interception regime only provides
for a limited category of life-threatening emergencies where interception
without a warrant is permitted,
together with a telephone application process for urgent warrants (rarely
The Telecommunications (Interception) Act provides for a form
of cost recovery by carriers of the costs of interception, through charges
for each `intercept' - this is separate from the arrangements for funding
the interception capability already described above.
The telecommunications interception legislation is, according to a recent
"designed to be technology-neutral and applies to any form of communication--voice,
fax, images or data--passing over a telecommunications system. Therefore,
it already applies broadly to modern forms of communications such as Short
Message Services (SMS) over the GSM
networks, email and other types of Internet communications, which at some
stage must pass over a telecommunications system".
However, the effectiveness of the legislation is arguably compromised
by uncertainty and ambiguity over two major issues. Firstly the question
of `content or substance' already discussed above. Secondly, the issue
of `participant monitoring'. This is defined only indirectly by the Act
as an exception, but it is generally recognized that the position of, in
particular, organizations that are the subscriber for a telephone service,
monitoring or recording conversations between their staff and third parties
is far from clear.
Interception was originally handled centrally through the Australian
Federal Police, but amendments have allowed some eligible authorities (mainly
the State police forces) to deal directly with the carriers. Other agencies
still have to obtain their intercept `product' through another agency.
There are strict record-keeping requirements applying both to carriers
and to the eligible authorities serving the warrants.
These records are subject to reporting requirements and to oversight by
the Federal and State/Territory Ombudsmen, as applicable. The federal Attorney-General's
Department publishes an Annual Report on the operation of the Act. The
most recent report reveals that 1286 applications were made and warrants
were issued in all but two cases.
This represents a doubling of applications from the previous two years
- explained in the report as partly due to increased funding for Commonwealth
law enforcement agencies and increasing complexity and diversification
of the telecommunications environment, including greater availability of
mobile phone services. The main increases were attributable to the Federal
Police, National Crime Authority (both principally an increase in warrants
for narcotics offences) and to NSW and Victoria Police and the NSW Crime
In 1998, a telecommunications working group of the International Data Protection Commissioners issued a common position on accountability for interception, stating that there should be mechanisms to re-assure the public that interception powers are being used lawfully, appropriately and proportionally. The mechanisms suggested include:
Resourcing issues for the federal court have also led to another significant
change to the interception regime. The Telecommunications (Interception)
and Listening Device Amendment Act 1997
allow warrants to be issued by designated members of the Administrative
Appeals Tribunal. This was presented by the government, and eventually
accepted by the Opposition, as an unavoidable necessity given the unwillingness
of federal court judges to continue to perform the role exclusively.
The level of debate on this major development was disappointing,
with the Opposition only belatedly raising concerns in the House of Representatives
when it was too late to effect changes. A number of arguably spurious justifications
put forward by the government went largely unchallenged, although the Chief
Justice of the Federal Court has confirmed publicly that the judges concern
about both the burden of interception warrant approvals and the potential
conflict of roles was genuine.
The real concern in this matter, according to privacy submissions, is the
fact that most of the AAT members who are likely to be designated by the
Attorney-General under the amendments are appointed for fixed terms, and
are not tenured. Privacy groups submitted that without casting any aspersions
on the integrity or diligence of individual AAT members, it is simply not
satisfactory to have people whose future career prospects may depend on
further governmental appointments deciding something as crucial as the
issuing of an interception or `bugging' warrant.
The Annual Report on the Act for 1989-99 anticipates the transfer of the warrant issuing function to the proposed new Administrative Review Tribunal (ART) which will replace the AAT, and also the addition of the new federal magistrates as persons authorized to issue warrants. This latter development would partially restore the former status quo, although magistrates, while part of the judiciary, are not tenured like federal court judges.
Two official federal government reviews of Interception have been completed in recent years, with limited opportunity for public submissions and debate.
The first review was by the Australian Communications Authority, which
looked at the cost effectiveness of the interception obligations on carriers
and carriage service providers and the cost sharing arrangements.
The second was a broader review of interception policy, promised at the
time of the 1997 `warrant issuing' amendments, and conducted by the Commonwealth
Although public submissions to both reviews were invited, they were not
widely solicited or publicized, and in the case of the AGs review details
were only made available on request, which inevitably limited the number
and breadth of inputs. The draft report which was sent to interested parties
on request did however give an excellent account of the background and
Other concerns raised in submissions by privacy advocates to the two
The only significant amendment to the regime since 1997 has been the introduction of `named person' warrants. The government contended that when a person under investigation is able to move rapidly among a selection of services, it becomes difficult to identify all relevant services in advance for the purposes of obtaining a separate warrant authorising the interception of each of those services.
The Government responded to this problem by amending the legislation
to provide for a new category of interception warrant: the named person
warrant. Named person warrants enable an agency to intercept any services,
which are, or are likely to be, used by the person identified on the warrant.
Because a named person warrant is not confined to a particular service,
an investigating agency now has the flexibility to rapidly connect and
disconnect interceptions as the suspect changes from service to service
during the currency of the warrant. The named person warrant provisions
of the Amendment Act will be subject to a review in 2003.
Other recent changes which apply only to ASIO interception warrants,
 Carriers provide networks - there are currently three main carriers - Telstra (fixed and mobile); Cabel & Wireless Optus (mobile and some geographically specific fixed networks via cable); and Vodafone (mobile only). A spectrum auction for so called third generation mobile network licences is being held in 2001 and is likely to see additional carriers. Carriage service providers (CSPs) include a wide range of `re-sellers' taking advantage of statutorily mandated access to the Telstra network, and also include Internet Service Providers. There are currently more than 700 CSPs.
 See http://www.tio.org.au
 See http://www.acif.org.au
 ACIF Draft Code C537 : Provision of assistance to national security, enforcement and other government agencies, clauses 2.1.3 and 2.2.1.
 see http://www.ctn.org.au
 Public Interest Determination - Application No 6, 27 September 1991 - the Commissioner found that Telstra did not need an exemption from Information Privacy Principles 11 and 2 in relation to the operation of its Electronic White Pages directory.
 Telecommunications Privacy, AUSTEL, December 1992.
 Code C523 - see http://www.acif.org.au
 Code C522 - see http://www.acif.org.au
 All available at http://www.acif.org.au
 ACIF Draft Code C537 : Provision of assistance to national security, enforcement and other government agencies - consultation draft available at http://www.acif.org.au.
Telecommunications and Law Enforcement, Fact sheet and Manual - at http://www.aca.gov.au
 ACIF Draft Code C537, clauses 2.1.3 and 2.2.1.
 This will also become a requirement under the recent private sector amendments to the Privacy Act 1988, unless the telecommunications industry applies for a Code of Practice (either the existing one or a revised version) to replace the default statutory principles.
 Analogue mobile calls are in any case broadcast in clear, and can be picked up by cheap and easily available radio scanners.
International Requirements for Interception, International Law Enforcement Telecommunications Seminar (ILETS)
 Holland, K: 'Recent International Legal Developments in Encryption' , IIR Conferences, 1998 - http://www2.austlii.edu.au/itlaw/articles/Holland.html
Australian Security Intelligence Organisation Act 1979
Telecommunications (Interception) Act 1979, s.30.
 Attorney-General's Portfolio submission to a Parliamentary Committee Inquiry into Law Enforcement and New Technology - see http://www.aph.gov.au/nca
 Global Specification Mobile-a digital mobile telephone technology
 This statement begs the question already posed above as to whether the Interception regime applies to such `stored message' communications after they have been deposited in the recipients `mailbox' and/or read for the first time.
Telecommunications (Interception) Act 1979, Part XA
Participant Monitoring of Communications, ACIF Guideline, July 1998 - see http://www.acif.org.au
 State or Territory legislation imposing equivalent accountability requirements on State or Territory agencies is a pre-condition for the federal Attorney-General approving access.
Telecommunications (Interception) Act 197, Annual Report for the year ending 30 June 1999. see http://law.gov.au/publications/annreptelecom.pdf
 International Working Group on Data Protection in Telecommunications: Common Position on Public Accountability in relation to Interception of Private Communications, April 1998.
 No. 160 of 1997.
 Waters, N: Telecommunications Interception: - extending the reach or maintaining the status quo?, Privacy Law & Policy Reporter, Vol 4 No 6, November 1997, page 110
 Letter from the Chief Justice to the Australian Privacy Charter Council, 13 April 1999.
 Australian Communications Authority - Telecommunications Interception Review - Review into longer term cost effectiveness of arrangements for telecommunications interception, Discussion Paper December 1998 (was on www.aca.gov.au ).
 Attorney-General's Department - Policy Review of the Telecommunications (Interception) Act 1979, announced on the Department's Window on the Law web site December 1998 www.law.gov.au//aghome/legalpol/isld/tipr/Welcome.html
Participant Monitoring of Communications, ACIF Guideline, July 1998 - see http://www.acif.org.au
 see http://law.gov.au/publications/teleintreview/teleintreview.html
 see http://www.aca.gov.au/licence/carrier/interception.htm
 Attorney-General's Portfolio submission to a Parliamentary Committee Inquiry into Law Enforcement and New Technology, June 2000 - see http://www.aph.gov.au/nca
Telecommunications (Interception) Legislation Amendment Act 2000, No 63/2000
ASIO Legislation Amendment Act 1999, s.25(2).
ASIO Legislation Amendment Bill 2000, s.25(10) and s.25(8) respectively.
ASIO Legislation Amendment Bill 2000, s.25A
ASIO Legislation Amendment Bill 2000, s.25A(5)
 Government response to the Joint Parliamentary Committee, June 1999 - see http://www.aph.gov.au/house/committee/pjcasio/govresp1.htm . This commitment was supposedly given effect by s.25A(4) - although the precise effect of this in conjunction with s.25A(5) remains unclear.