[Previous] [Next] [Title]

12. Telecommunications privacy issues

Updated by Nigel Waters, 3 June 2002

This reading guide concentrates mainly on Australian law in this complex area, although reference is made to relevant international developments.

12.1. General Resources

12.2. Obligations of telecommunications providers

Because of the sensitivity of communications privacy, telecommunications was singled out as a special case well before the rest of the private sector, and has been regulated by separate legislation for over ten years.

12.2.1. Privacy obligations

Until the early 1990s, the old Telecom Australia, as a government owned supplier with in effect a monopoly in telecommunications was subject to the Privacy Act IPPs as a government agency. The corporatisation of Telecom as Telstra in 1992 had the effect of removing it from the coverage of the federal Privacy Act 1988. However, public pressure forced the then government to retain the application of the Freedom of Information Act and Telstra has continued to be required to grant individuals access and correction rights to personal information.

The 1997 Telecommunications Act introduced a system of co-regulation. Carriers and carriage service providers (CSPs) (the two main classes of industry participants - there are a handful of carriers and over 700 service providers) are required to support an industry forum to develop standards and codes of practice for a wide variety of technical operational matters, and to subscribe to an industry dispute resolution scheme - the Telecommunications Industry Ombudsman (TIO) . The industry forum established by the participants is the Australian Communications Industry Forum (ACIF) which was given a statutory duty to develop codes of practice on privacy issues.

The 1997 Act retained and developed the provisions of the 1991 Act relating to confidentiality and disclosure of information, which to a large extent mirrored the use and disclosure principles of the Privacy Act. Part 13--Protection of communications is a detailed regime of permitted uses and disclosures, as exceptions to a general duty of confidentiality. It includes a similar range of exceptions as do the use and disclosure IPPs in the Privacy Act.

ACIF working parties have developed codes of practice on the Protection of Customer Personal Information Code C523, and on Calling Number Display Code C522. The former code does little more than repeat the principles in the federal Privacy Act, but in a telecommunications specific context and language. The CND Code attempts to regulate the secondary uses of calling line identification (CLI) both by carriers and CSPs and by other organizations - mainly by giving telecommunications subscribers a choice of per-call and per-line opt-out from having their CLI available for capture and display bycall recipients.

The Australian Communications Authority (ACA) exercised its discretion under the Act to register both the Customer Personal Information and CND Codes. This had the effect of making them mandatory and binding on carriers and CSPs (The organizational use Guidelines in the CND Code are to be enforced through contractual arrangements between the carriers and clients). However, as larger carriers and CSPs are now bound by the National Privacy Principles of the Privacy Act, the ACA de-registered the CPI Code as from 21 December 2001 to avoid duplication. This leaves any small business operators in telecommunications exempt from any binding principles although they remain subject to Part 13 restrictions on disclosures (see below) and they can still choose to voluntarily adopt the ACIF CPI Code if they wish (another option is to opt-in to the Privacy Act and NPPs).

A number of other ACIF Codes have important privacy implications. They include:

* Code C555: Integrated Public Number Database (a common database of subscriber names and numbers required to be established under the Act).

* Code C518 : Call charging and billing accuracy.

* Code C525: Handling Life Threatening and Unwelcome Calls

* Code C536 Emergency Call Services Requirements, and

* Code C537 Provision of Assistance to National Security, Enforcement and government Agencies (this code is particularly relevant to this paper and is referred to below)

All the above codes have been registered by the ACA and are therefore binding on participants.

12.2.1. Sanctions and enforcement

Breaches of ACIF Codes can in some cases be investigated by the TIO, who can award compensation in appropriate cases, but can also be reported to ACIF who in theory have a process for holding signatories to account. For ACA registered codes, the ACA has reserve powers in the case of repeated of flagrant breaches but this is a somewhat blunt sanction.

Some breaches of the Assistance to Agencies Code and of the Privacy Act NPPs (which have now superceded the CPI Code) are quite likely to also be breaches of the prohibition on disclosure in Part 13 of the Telecommunications Act and these could be criminal offences under s.276-278 - punishable by up to 2 years imprisonment.

The question of how the Telecommunications privacy codes (other than the CPI Code) relate to the Privacy Act, since December 2001, remains unanswered. Will the industry seek to register the existing telecommunications codes as approved Codes of Practice under the Privacy Act? Will this include making the TIO a Code Adjudicator under the Privacy Act? Will the codes need to be significantly amended to meet the standards required by the Privacy Commissioner? How will the codes be enforced and by whom if they are registered under both Acts?

All these questions remain to be answered but are discussed by Holly Raiche [link]

12.2.2. Law enforcement obligations

The privacy obligations in Part 13 are balanced by the next Part - Part 14 -National interest matters - which imposes a statutory duty on carriers and carriage service providers to assist government agencies where necessary for law enforcement and revenue protection and safeguarding national security.

The interaction of Parts 13 & 14 of the Telecommunications Act 1997 governs the access by government agencies to all types of information held by carriers and carriage service providers except the `content or substance' of communications, access to which is separately regulated by the Telecommunications (Interception) Act 1979 (see below).

The types of information clearly subject to the disclosure regime in the 1997 Act include customer related information such as subscriber details, call charge records, reverse call records, IMEI checks and cell dumps; call tracing; and the affairs or personal particulars (including any unlisted telephone number or any address) of another person.

Access by law enforcement agencies is the subject of ACIF Code C537 : Provision of assistance to national security, enforcement and government agencies. It is also covered in an ACA Fact sheet and Manual -Telecommunications and Law Enforcement, - available on the ACA site.

Part 13 of the Act allows disclosure of otherwise confidential information where that disclosure is `reasonably necessary' for one of the following purposes:

Carriers and carriage service providers can meet the `reasonably necessary' test, in two different ways: Disclosures for the first two purposes can be made to any agency of an Australian government, but for the third purpose only to the intelligence agency ASIO (under the separate section 283). However, disclosures under s.282 (3)-(5) - in response to a certificate - can only be made to `enforcement' agencies on a prescribed list.

Provided a disclosure meets the three tests of reasonable necessity, prescribed purpose and prescribed recipient agency, the disclosing organization is exempt from the prohibition in Part 13 of the Act (which is modelled on the non-disclosure principle in the Privacy Act 1988). Part 13, like the Privacy Act principle, provides separately for other permitted disclosures, including where the disclosure is required by law (such as under a judicial warrant or court sub-poena) or in emergency life threatening situations.

There are detailed criteria set out in the Act for the form and processes for issue of certificates under s.282 (3)-(5), and these are supplemented by written requirements issued by the ACA in December1998.

The Act also imposes record-keeping requirements on carriers and carriage service providers (s.306), and the federal Privacy Commissioner has a statutory role in monitoring procedural compliance with those requirements (s.309) (but no power to review the merits of the certificates).

A major cause for concern to privacy advocates has been the failure of any of the authorities to give advice that would encourage the use of the certificate process, which at least has some procedural safeguards, as opposed to more informal requests unders.282 (1) and (2).

More generally, there is concern from a privacy perspective about the whole structure of the access regime. Section 313 creates a presumption in favour of co-operation with agencies - something which does not apply to any other private sector organisations. Privacy advocates have argued consistently over the last decade that this is the reverse of the desirable situation. They argue that because communications are inherently more sensitive than many other types of behaviour (and linked closely to values such as freedom of speech and association), information about them should be protected, even against state intrusion, to a higher, rather than a lesser standard. This applies especially to call charge or billing records, which can reveal a considerable amount about an individuals' communications, and yet do not receive any greater protection than relatively innocuous data such as subscribers' names.

12.3. Data retention

There are currently no statutory requirements for telecommunications providers to keep particular types of records for specific periods of time to assist law enforcement, although such a requirement has been debated in the ACIF Code working committees and it is understood that some carriers may be complying informally with requests from agencies to keep records for longer than they would need for their own purposes. The principle that personal information should be kept for no longer than necessary for any legitimate purpose was already included in the ACIF Customer Personal Information Code which and is now binding on all larger carriers and CSPs as part of NPP4.

There is a world-wide push by enforcement agencies to require retention of telecommunications records for longer periods. See http://www.epic.org/privacy/intl/data_retention.html The 2001 Council of Europe Cybercrime Convention (Treaty 185) (http://conventions.coe.int/) at least recommended a maximum retention period of 90 days (Article 16). But a European Parliament resolution on 30 May cleared the way for a new EU Directive on Data Protection and Telecommunications which will allow for member states to require retention for unlimited periods.

It is important to recognize, as already stated above, that telecommunications providers continue to be subject to the standard processes whereby information (other than content or substance - see below) can be `required by law' by government agencies (and others) such as the execution of search warrants, court sub-poenas and a range of statutory `orders' from specific agencies such as the Australian Taxation Office, Commonwealth welfare agencies, and various State regulators. The Telecommunications Act, Privacy Act and Codes all provide an exception that does not prevent providers from complying with such demands.

From time to time, the debate over privacy of telecommunications has achieved a wider exposure. The most recent example was in February 2001 when the Opposition in federal parliament asked questions about the total volume of disclosures to government agencies under the Telecommunications Act. The revelation that there were nearly 1million separate disclosures by telcos in 1999-2000 (a more than 12% increase on the previous year), while not news to anyone who has followed the issue more closely, attracted some media attention.

12.3.1. Content or substance of communications

There is some ambiguity about the scope of the `content or substance' exception in s.282 of the Telecommunications Act 1997. This section of the Act refers to communications which have been carried, or are being carried (including a communication that has been collected or received by such a Carrier or provider for carriage by it but has not been delivered by it). It also only relates to disclosures subject to a certificate issued by an agency to the effect that the disclosure is reasonably necessary.

The significance of this latter limitation lies in the fact that the `content or substance' exception only relates to the certificate option for disclosure (s.282(3)-(5)), and not to the option where the carrier or provider discloses on the basis of its own assessment of `reasonable necessity' (s.282 (1) or (2)).

Normal principles of statutory interpretation could be used to argue that because both the certificate provisions and the Telecommunications (Interception) Act (see below) clearly deal with the issue of content, it cannot have been intended that s.282 (1) and (2) should provide a loophole with lesser safeguards. However, the ACIF Code on Assistance to Agencies, declines to give guidance to this effect, saying only:

2.7.2 Subsections 282(1) and 282(2) may authorise disclosure of content and substance. In view of the sensitive nature of the disclosure where content and substance are involved it would be prudent for Organisations to obtain legal advice.
2.7.3 This means that an Organisation cannot rely on section 282 to disclose information concerning the content of substance of a communication to an Agency. Although the disclosure of that information may be authorised under section 280 of the Act (if a warrant has been obtained), the Organisation should ensure that any disclosure complies with the provisions of the Telecommunications (Interception) Act 1979 (Cth) or the relevant State's or Territory's ListeningDevices legislation.
2.7.5 Carriers and Service Providers may have to make judgements as to what constitutes the contents or substance of information or a document in relation to particular technologies, especially store-and-forward technologies such as stored voicemail, e-mail, or paging messages.

The other ambiguity about the scope of the `content or substance' exception concerns whether it applies to stored communications, such as email, pager or SMS messages or calls recorded in an answering service or messagebank. At what point are such messages or calls deemed to have been `delivered' for the purposes of the exception? - when it has been posted to a user's `mailbox' or message bank? or only when read? It would seem clear that once a user has accessed or read such a stored message it loses the protection of the `content or substance' exception even if the user chooses to leave it temporarily in the carrier/CSPs storage device. Even without resolving the other ambiguity this means that there is at least one category of `content' - stored messages after they have been read - which is subject to the Telecommunications Act regime rather than the stricter Telecommunications (Interception) Act.

A Bill introduced as part of the Anti-Terrorism package in early 2002 seeks to clearly make stored communications accessible under the complete range of other powers rather than only under the Interception Act (see next section).

12.4. Telecommunications (Interception) Act issues

The Telecommunications (Interception) Act 1979 (Cth) provides significant privacy protection, including in relation to interception of personal information via the internet.

* Nigel Waters `Government Access to Telecommunications in Australia' (2001)

* Graham Greenleaf 'Interception' on the internet - the risks for ISPs' (1996) 3 Privacy Law & Policy Reporter 93

* Nigel Waters 'Telecommunications interception - extending the reach or maintaining thestatus quo' 4 PLPR 110 - details amendments to interception provisions, and particularly the need to obtain a warrant, made by the Telecommunications Legislation Amendment Bill 1997.

12.5. Interception capability

With the introduction of the digital mobile (GSM) networks in the early 1990's, the law enforcement agencies which are able to obtain warrants under the Telecommunications (Interception) Act 1979 (see below) became concerned that they would lose the capability to intercept. This is because, in contrast to the standard fixed telephone services, and the original analogue mobile network, digital mobiles automatically encrypt voice and data messages before they are transmitted. Initially, this encryption rendered digital mobile traffic secure from interception. The government included in the legislation (the Telecommunications Act 1991 and the Telecommunications (Interception-Carriers) Act 1992) an obligation on carriers to develop and implement (at their own expense)an interception capability. This proved more difficult and expensive than anticipated, and the carriers were given both a waiver from the requirement for several years and, it is understood, a subsidy towards the cost.

The interception requirements were subsequently standardised in conformity with an international agreement - International Requirements for Interception, International Law Enforcement Telecommunications Seminar (ILETS) - and the obligation carried forward into the TelecommunicationsAct 1997. As a result of an amendment in late 1997, Part 15 of the new Telecommunications Act 1997 now requires both carriers and carriage service providers to ensure that both networksand facilities are able to allow interception in accordance with a warrant issued under the Telecommunications (Interception) Act 1979. It also requires carriers and some nominated carriage service providers to notify the Australian Communications Authority (ACA) of any technological changes that may affect the interception capability, and provides for them to prepare and lodge annual interception capability plans with the Attorney-General.

There was for a while some doubt about the application of the Part 15 interception capability requirement to encrypted content. This was clarified in 1998 by an official of the Attorney-General's Department:

"Yes, the changes do require carriers and service providers to provide an interception capability. And yes this could include the ability to decrypt messages which may have been encrypted by the carrier or service provider as part of the normal operation of the service. It does not, however, require carriers or service providers to decrypt traffic which has been encrypted by customers before being carried over the network." (emphasis in the original) 'Recent International Legal Developments in Encryption'

A related development was the effective prohibition of the issue of 'anonymous' pre-paid SIM cards for digital mobile phones. For a period until 1997, it was possible to purchase a SIM card for cash and use it in a mobile phone with no record being made or kept of the purchaser's identity. in another largely unnoticed policy response, the law enforcement community prevailed on the ACA to issue a direction to carriers to require proof of identity from people buying pre-paid SIM cards. Privacy advocates submitted that had there been a proper public debate about this change, someone might have questioned the value to law enforcement agencies of information about the purchaser, who need bear little if any relationship to the eventual user. They suggested that this measure appeared to be yet another 'just in case' extension of surveillance without adequate justification for the collection of detailed identity details about thousands of individual customers.

12.6. Interception Rules and Safeguards

The government has sought to re-assure the public about interception by imposing rigorous controls over the process. The federal Telecommunications (Interception) Act 1979 makes unauthorized interception unlawful, and regulates the interception of telecommunications by all law enforcement agencies including State and Territory police forces. Until recently, the major safeguard was the necessity to obtain a warrant from a federal court judge, and the range of offences in relation to which warrants can be obtained is limited and specified in the Act. The way in which intercept `product' may be handled and its uses are strictly specified in the Act. There is also a range of other accountability measures such as procedural oversight by Federal and State Ombudsmen and an annual report to the Attorney-General, tabled in Parliament. The regime falls short of practice in some overseas jurisdictions, such as the United States, where there is a requirement to notify people whose communications have been intercepted after the event, once investigations will no longer be prejudiced.

Separate legislation (the Australian Security Intelligence Organisation Act 1979) provides for interception warrants to be obtained by the intelligence agency ASIO, but these warrants are issued by the Attorney-General- a government minister. The ASIO legislation provides for emergency warrants to be issued by the Director-General of the agency itself subject to subsequent ratification by the Minister. In contrast, the general interception regime only provides for a limited category of life-threatening emergencies where interception without a warrant is permitted(Telecommunications (Interception) Act 1979, s.30), together with a telephone application process for urgent warrants (rarely used).

The Telecommunications (Interception) Act provides for a form of cost recovery by carriers of the costs of interception, through charges for each `intercept' - this is separate from the arrangements for funding the interception capability already described above.

The telecommunications interception legislation is, according to a http://www.aph.gov.au/nca recent government submission, "designed to be technology-neutral and applies to any form of communication--voice, fax, images or data--passing over a telecommunications system. Therefore, it already applies broadly to modern forms of communications such as Short Message Services (SMS) over the Global Specification for Mobile (GSM) networks, email and other types of Internet communications, which at some stage must pass over a telecommunications system". This statement begged the question already posed above as to whether the Interception regime applies to such `stored message' communications after they have been deposited in the recipients `mailbox' and/or read for the first time.

As noted above, the government has now moved to clarify the application of the law to `stored communications as part of its package of Anti-Terrorism legislation. The Telecommunications Interception Legislation Amendment Bill 2002 would give government agencies (not only police forces) powers to intercept and read email, voice mail and SMS messages, without an interception

warrant (as is presently required). Furthermore, agencies that are not allowed to obtain and use interception warrants (like the Taxation Office, the Australian Securities and Investments Commission, the Immigration Department, etc.) would gain the power to intercept and read

private communications. A detailed analysis of the Bill and its implications can be found at: http://www.efa.org.au/Issues/Privacy/tia_bill2002.html

12.6.1. Unauthorised interception

Apart from creating a regime for authorised interception, the Telecommunications (Interception) Act provides sanctions against other interception. Unauthorised interception is an indictable criminal offence, carrying a penalty of up to 2 years imprisonment. The Act also creates a statutory tort, allowing anyone whose communications are intercepted to seek civil remedies (Part XA). However, the effectiveness of the legislation is arguably compromised by uncertainty and ambiguity over two major issues. Firstly the question of `content or substance' already discussed above. Secondly, the issue of `participant monitoring'. This is defined only indirectly by the Act as an exception, but it is generally recognized that the position of, in particular, organizations that are the subscriber for a telephone service, monitoring or recording conversations between their staff and third parties is far from clear. See Participant Monitoring of Communications, ACIF Guideline, July 1998 on ACIF.

12.6.2. Authorised Interception

The range of offences for which interception warrants may be obtained, and the list of agencies allowed to apply for warrants, have both expanded since the Act was first introduced in 1979. The latter development arguably only reflects the proliferation of law enforcement agencies and oversight or watchdog agencies in recent years. The former development is less easy to explain and arguably to justify, other than as an inevitable `function creep' under pressure to respond to perceived crime threats. Warrants can currently be obtained in relation to two classes of offence - Class 1 offences including murder, kidnapping and narcotics offences; Class 2 includes a range of other serious offences the common criteria being that the offence is punishable by imprisonment for at least 7years.

Interception was originally handled centrally through the Australian Federal Police, but amendments have allowed some eligible authorities (mainly the State police forces) to deal directly with the carriers. Other agencies still have to obtain their intercept `product' through another agency.

There are strict record-keeping requirements applying both to carriers and to the eligible authorities serving the warrants. These records are subject to reporting requirements and to oversight by the Federal and State/Territory Ombudsmen, as applicable. The federal Attorney-General's Department publishes an Annual Report on the operation of the Act. The most recent report reveals that 1286 applications were made and warrants were issued in all but two cases. This represents a doubling of applications from the previous two years - explained in the report as partly due to increased funding for Commonwealth law enforcement agencies and increasing complexity and diversification of the telecommunications environment, including greater availability of mobile phone services. The main increases were attributable to the Federal Police and National Crime Authority (in both cases mainlyin warrants for narcotics offences) and to NSW and Victoria Police and the NSW Crime Commission.

In 1998, a telecommunications working group of the International Data Protection Commissioners issued a common position on accountability for interception, stating that there should be mechanisms to re-assure the public that interception powers are being used lawfully, appropriately and proportionally. The mechanisms suggested include:

While the Australian interception regime meets some of these benchmarks, it falls short in relation to some of the detailed reporting standards recommended in the statement. Also, the monitoring powers of the Ombudsmen are restricted to procedural matters rather than extending to the substance of the warrants and justifications. Ideally this would be more appropriately an additional function for the courts, but the federal court is not adequately resourced to undertake the systematic retrospective monitoring of the warrant system, and the same issues would arise about constitutional separation of powers as have done with the warrant issuing authority itself (see below).

Resourcing issues for the federal court have also led to another significant change to the interception regime. The Telecommunications (Interception) and Listening Device Amendment Act 1997 allow warrants to be issued by designated members of the Administrative Appeals Tribunal. This was presented by the government, and eventually accepted by the Opposition, as an unavoidable necessity given the unwillingness of federal court judges to continue to perform the role exclusively.

The level of debate on this major development was disappointing, with the Opposition only belatedly raising concerns in the House of Representatives when it was too late to effect changes. A number of arguably spurious justifications put forward by the government went largely unchallenged, although the Chief Justice of the Federal Court has confirmed publicly that the judges concern about both the burden of interception warrant approvals and the potential conflict of roles was genuine. The real concern in this matter, according to privacy submissions, is the fact that most of the AAT members who are likely to be designated by the Attorney-General under the amendments are appointed for fixed terms, and are not tenured. Privacy groups submitted that without casting any aspersions on the integrity or diligence of individual AAT members, it is simply not satisfactory to have people whose future career prospects may depend on further governmental appointments deciding something as crucial as the issuing of an interception or `bugging' warrant.

The Annual Report on the Act for 1989-99 anticipates the transfer of the warrant issuing function to the proposed new Administrative Review Tribunal (ART) which will replace the AAT, and also the addition of the new federal magistrates as persons authorized to issue warrants. This latter development would partially restore the former status quo, although magistrates, while part of the judiciary, are not tenured like federal court judges.

Two official federal government reviews of Interception have been completed in recent years, with limited opportunity for public submissions and debate.

The first review was by the Australian Communications Authority, which looked at the cost effectiveness of the interception obligations on carriers and carriage service providers and the cost sharing arrangements - Telecommunications Interception Review - Review into longer term cost effectiveness of arrangements for telecommunications interception, Discussion Paper December 1998 (was on www.aca.gov.au). The second was a broader review of interception policy, promised at the time of the 1997 `warrant issuing' amendments, and conducted by the Commonwealth Attorney-General's Department.

Although public submissions to both reviews were invited, they were not widely solicited or publicized, and in the case of the AGs review details were only made available on request, which inevitably limited the number and breadth of inputs. The draft report which was sent to interested parties on request did however give an excellent account of the background and current issues.

Other concerns raised in submissions by privacy advocates to the two reviews included:

The Attorney-General's Department published a report of their review in May 1999, and the Minister tabled the ACA's review in Parliament in July 2000 .

The only significant amendment to the regime since 1997 (until the proposed 2002 changes already discussed) has been the introduction of `named person' warrants. The government contended that when a person under investigation is able to move rapidly among a selection of services, it becomes difficult to identify all relevant services in advance for the purposes of obtaining a separate warrant authorising the interception of each of those services.

The Government responded to this problem by amending the legislation to provide for a new category of interception warrant: the named person warrant. Named person warrants enable an agency to intercept any services, which are, or are likely to be, used by the person identified on the warrant. Because a named person warrant is not confined to a particular service, an investigating agency now has the flexibility to rapidly connect and disconnect interceptions as the suspect changes from service to service during the currency of the warrant. The named person warrant provisions of the Amendment Act will be subject to a review in 2003.

Other recent changes which apply only to ASIO interception warrants (not to the more frequent policing warrants), are:

Privacy advocates have expressed concern that these amendments could have a precedent effect and lead to law enforcement agencies seeking similar extensions of their powers.

12.7. The telephone as a spy - CND and related surveillance issues

There are a number of telecommunications privacy issues which transcend the relatively straightforward matter of whether uses and disclosures are allowed and in what circumstances. These may loosely be described as the extent to which the use of telecommunications automatically and in real time reveals information about the user to the recipient (and others).

The first example of this is the Calling Number Display product, which uses calling line identification (and essential technical characteristic of telephone services) to allow the recipient to display or otherwise capture the number of the calling party. The complex privacy issues surrounding the introduction of CND are covered in detail in a 1996 AUSTEL Privacy Advisory Committee report (not available on-line) and in the ACIF Code already referred to [Code C522 link]

The outcome is that currently, the ACA registered and therefore binding Code allows carriers to offer CND services on condition that users are able to `block' display of their number either on a per-call basis (by dialing a prefix), or on a per-line basis (at the discretion of the subscriber). These blocking services have to be free of charge and well publicized, although there has been acrimonious debate about whether the carriers have fulfilled their commitments in this respect.

The CND Code is due to be reviewed by an ACIF working group, and there has been some suggestion recently that some authorities may be seeking (and even unlawfully already obtaining), CLI information in respect of calls where CND has been blocked.

The second example of `the telephone as spy' is the development of wireless location services, which allow the carriers, and potentially recipients of calls and other third parties, to know where, in geographic space, the caller is located. This capability has already been developed to a crude `area' level by analyzing the pattern of cells that a mobile user is connected to. But it is currently being massively enhanced by the integration of satellite global positioning system (GPS) functionality into new generation mobile phones.

Wireless location offers a range of potential benefits to users, but is being driven even more by perceived commercial applications - allowing targeted marketing, and by law enforcement interests, which covet the ability to locate callers as part of their investigations. An Australian standard for mobile origin and location information (MOLI) has been under development for some time, without much public debate or consultation- partly by ACIF for network connection needs (see ACIF publication G530 on ACIF), but more significantly driven by national and international law enforcement working parties, including the ACA's Law Enforcement Advisory Committee

The crucial threshold privacy issue in relation to wireless location services is the ability for users to easily turn location monitoring on or off. If users do have at least the technical option of turning location monitoring off, there will be a repeat of the CND debate as to whether the default setting should be on or off, and the circumstances in which organizations should be allowed to require users to have location monitoring switched on. In particular, there will be an argument from emergency services that their needs should override user preferences, but it would be dangerous to accede to this bid as it would open the door for other third parties to make a case for access to the location information.

12.8. Internet issues

The extent to which the telecommunications specific legislation and Codes affect the use of the Internet and the activities of Internet Service Providers is covered in a later class.

ACA Fact Sheet I Internet Service Provider Interception Obligations (PDF only) summarises the obligation of ISPs to breach the privacy of their customers in some situations

ACA Fact Sheet I Internet service providers and law enforcement and national security (PDFonly)

12.9. International Developments

The new European Union Directive on "the processing of personal data and the protection of privacy in the electronic communications sector" (http://www.gilc.org/as_voted_2nd_read.html ) likely to be formally adopted later in 2002, to take effect from the end of 2003, will be seen as a benchmark in this area. It will replace the existing telecommunications privacy Directive 97/66. As already noted above, the new Directive is relatively weak on some issues, such as allowing domestic laws to require the retention of traffic data for law enforcement purposes. But in other areas, such as control of SPAM, and choices for users on location tracking, the Directive appears to set a high privacy protective standard.

12.10. ECHELON

There has been much controversy over the last few years about the ECHELON system which is alleged to be a massive routine monitoring of satellite communications by the intelligence agencies of the UKUSA alliance - the USA, UK, Canada, Australia and New Zealand. Although highly classified, a considerable amount of information about the system has been published, initially in a book by New Zealand journalist Nicky Hager, and more recently in a comprehensive report for the European Parliament. The system is alleged to scan all communications for key words

Countries outside the UKUSA alliance are outraged at the prospect of ECHELON spying on their communications - governmental as well as business and private, ostensibly in the name of national security but allegedly for displomatic and commercial advantage.

Because the UKUSA allies refuse to comment publicly on ECHELON on national security grounds, it has not been possible to date to establish what if any lawful authority they may claim for the system. But it is difficult to see any basis - the surveillance appears to be taking place entirely outside the normal framework of privacy and interception laws.

For a detailed account of the ECHELON issue, see http://www.echelonwatch.org/

12.10.1. Intelligence agencies interception of communications in Australia

A related domestic version of the ECHELON debate took place recently in Australia with the admission by the government that the Defence Signals Directorate (DSD) had intercepted communications involving the MV Tampa which rescued asylum seekers from a sinking vessel in September 2002 and attempted to land them on Australian soil. Border protection became one of the defining issues of the subsequent federal election.

DSD, which previously operated without any clear statutory basis, is now governed by the Intelligence Services Act 2001. It is supposed to focus exclusively on foreign intelligence, and is expressly prohibited from storing or disclosing information about domestic communications ie: those involving Australians (citizens and permanent residents). But it does of course sometimes intercept communications in which one party is an Australian. An inquiry by the Inspector General of Intelligence and Security in April 2002 found that DSD had breached the (then non-statutory) guidelines in September 2001 by releasing four `end product reports' which incidentally involved Australians. While no Australian was named, in at least one case [his] identity could have been inferred.

The Inspector General also found that some of the DSD's methods might have breached the Telecommunications (Interception) Act. (As explained above, ASIO is the only intelligence agency with the authority to seek and execute warrants under the T(I) Act) No details are given, but further consideration is being given to this issue by the Inspector General who may report on it in his Annual Report. It may be that the Telecommunications Interception Legislation Amendment Bill 2002 already discussed above seeks to clarify and `fix' this particular problem.

[Previous] [Next] [Title]