Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Holland, Bradley --- "Overtaking privacy in the telecommunications transit lane" [2005] PrivLawPRpr 10; (2005) 11(6) Privacy Law and Policy Reporter 165

Overtaking privacy in the telecommunications transit lane

Bradley Holland

The sensitivity of governments to possible terrorist action has been heightened to a level where personal liberties and privacy rights are increasingly under threat. The Telecommunications (Interception) Act 1979 (Cth) (TI Act) balances the protection of a person’s communications passing over a telecommunications system with the need by law enforcement agencies to obtain access to such communications for the purposes of national and public security. Generally, where such access is required, a Judge or member of the Australian Administrative Tribunal (AAT) must issue an interception warrant to the requesting agency, otherwise the intrusion will be unlawful.

On 14 December 2004, the third attempt by the government to introduce a concept of ‘stored communications’ under the TI Act succeeded. Parliament passed the Telecommunications (Interception) Amendment (Stored Communications) Act 2004 (Cth) (SC Act) effectively removing the need for law enforcement agencies to apply for an interception warrant to access stored communications. While these changes cease to have force on 14 December 2005, personal privacy is now at risk by potentially allowing a person to obtain access to exempted communications based on specific technology or application characteristics. The Attorney-General announced that the SC Act is designed to ease access to stored communications by limiting the effect of the TI Act to ‘live’ communications.[1] The primary justification for doing so is to enable law enforcement and regulatory agencies additional access to information while investigating criminal activity. Secondary justifications include a trial-and-error approach to determine the legal effect of such changes on new technologies[2] as the protections under the TI Act were “originally designed for voice telephony”[3] and are now outdated with the progression of technology.

It is argued in this paper that the SC Act is flawed on at least five grounds. First, the SC Act attempts to redefine what communications are protected on a new technological basis. The objective of the TI Act is to protect a person’s privacy using a telecommunications network regardless of the technology used to enable that communication.

Second, the Australian public cannot be adequately compensated as a result of the removal of the privacy protections of stored communications. In contrast to unlawfully executed search warrants, the remedies available under the TI Act are broader and contemplate restitution for invasions of privacy in addition to ordinary monetary compensation.

Third, relaxing issuing procedures established in relation to interception warrants greatly affects a person’s privacy in that information. The Interception warrants process places reporting requirements on State and Federal governments and specifically requires the issuer to consider the impact on a person’s privacy.

Fourth, concern by organisations in relation to the difficulties caused by the TI Act for the implementation of their ‘acceptable use’ policies or computer virus management are better met under other legislative methods that are available.

Fifth, the changes made by the SC Act will require the courts to consider the application of technologies to determine whether a communication is exempted under the TI Act. Recent case law in the United States provides an example of the difficulty a court faces to determine these types of questions.

The privacy foundations of telecommunications interception law

The concepts introduced by the SC Act overlook the foundations of interception legislation in Australia since the first prohibition was legislated in 1960 by the introduction of the Telephonic Communications (Interception) Act 1960 (Cth). The objective of the 1960 enactment was two-fold. First, the government had decided that it was necessary that all interceptions were to be regulated by legislation setting out the limits within which and the purposes for which interceptions were prohibited.[4] The second foundation of interception legislation is:

“...to make the people of this country comfortable in the knowledge that there will not be any intrusion on their privacy unless there are facts which afford just ground for thinking that their telephone facilities are being used or have become likely to be used to the detriment of the security of this country.”[5]

Arguably, these foundations are still the basis of current interception law. While the 1960 Act was repealed, the TI Act was enacted in substantially the same terms with the exception that the scope of the TI Act was widened to cover communications passing over a telecommunications system, not just the telephone system. In 1989, Parliament also acknowledged that future technological capabilities impact on the types of communications available and hence broadened the protection offered by the TI Act covering communications in the form of speech, music, sounds, data, text, visual images, signals or any other form.[6] Clearly, the regime that has been built under the TI Act has an obvious trend towards augmenting the protection of privacy of communications over a telecommunications system.

Technological changes to privacy

The TI Act protects communications passing over a telecommunications system from being intercepted without an interception warrant.[7] The SC Act seeks to exclude a broadly defined ‘stored communication’ being a communication that is stored on equipment or any other thing, from the operation and privacy protections of the TI Act. Under the SC Act, a voice over Internet protocol (VoIP) communication or any communication of a highly transitory nature as an integral function of the technology used in its transmission is not a stored communication. While the amendments introduced by the SC Act are temporary (for a twelve-month period) and will cease to have effect on the 14 December 2005, the government proposes that a review of the amendments and the effect of new technologies on the TI Act will take place. However, neither the review nor its scope has been enshrined in legislation.

The explanatory memorandum of the SC Act posits a two criteria test to determine whether a communication is a stored communication.[8] First, if the communication exhibits a highly transitory nature by being still in transit and not momentarily buffered in the telecommunications system it will not be a stored communication. Second, the explanatory memorandum stresses that a communication that is ‘live’ or in ‘real time’ must only be intercepted once an interception warrant has been issued.[9] Should like amendments introduced by the SC Act be made permanent in the future, further amendments will be required to track technological change and innovation. At any place in time where the provisions of the TI Act lag the application of new technologies the emergence of ‘loopholes’ is possible. At worst case, litigation as to whether a communication falls within the meaning of ‘stored communications’ could expose law enforcement agencies to the risk that obtained intercepted material is rendered inadmissible. The language of the TI Act prior to the introduction of the SC Act tried to avoid this situation.

Conceptually, the distinction between ‘live’ or ‘real time’ communications and stored communications is difficult. Most electronic communications must be stored, albeit briefly, in current telecommunication systems - a situation that the SC Act contemplates. The period of storage of a communication is at the heart of the issue. Unfortunately, by electing to regulate what types of communications privacy provisions protect, Parliament has potentially changed personal behaviour and what technological applications people may use safely. The suggestion by members of Parliament that email is nevertheless ‘mail’ misconceives how the public uses electronic communications.[10] Electronic communications such as an email may never be reduced to a hardcopy written form such as ordinary postal mail and yet will exist in an easily replicable electronic form indefinitely. There is strong argument that such communications demand more privacy protections than that offered to ordinary forms of mail and other messages in hardcopy format.

Fundamentally, the SC Act ignores the foundations of personal privacy in communications. This is not the first attempt by Australian government to create a ‘stored communications’ exemption. Privacy groups and opposition parties thwarted two previous Bills[11] based on various views of privacy incursions. Strangely, the SC Act’s exemption is even more broadly based than that proposed in the previous Bills. It appears that the twelve-month period has provided the impetus to pass the amendments, or perhaps the impending control of the Senate by the Australian government in July 2005.

Parliament appears to have adopted a trial-and-error approach so that the provisions of the TI Act are “rewound for a period of 12 months ... for the purpose of assessing just how these regulations and laws fit into the concept of new technology”.[12] The twelve-month period has the characteristic of a backstop; just in the case the ‘concept test’ of stored communications at law fails. What compensation will be afforded to individuals that have their privacy invaded under the SC Act during the concept test stage, particularly if the pending review finds that provisions similar to the SC Act should not be reintroduced after the twelve-month period? Normally, an aggrieved person would have recourse under the TI Act as a result of an unlawful interception.[13] While civil remedies exist in relation to a search warrant[14] or controlled operation,[15] such remedies are limited and based on monetary compensation.[16] The TI Act contemplates that monetary remedies for the restitution of invasions of privacy may be inadequate and hence other remedies such as declarations, injunctions and punitive damages are available.[17] The current state of the law in this situation is now completely unsatisfactory.

The provisions of the SC Act become problematic for transactions involving multiparty electronic communications. The protection of the TI Act covers a communication or a part of that communication. Electronic communications such as email exhibit different characteristics to voice communications. Email is easily replicable and this replication is necessary where the communication is to be sent to multiple recipients. In the situation where a sender sends an email, only one communication has been made and each recipient will receive a part, being a replica, of that communication. One part of the communication may be delivered and stored in a recipient’s mailbox, while at the same time a part of the same communication is still passing over the telecommunications system to another recipient. While access to the part of the communication that is in storage would be exempt under the TI Act and would not be an illegal interception, access without an interception warrant of the second part of the communication may be an illegal interception, as that part of the communication is still passing over the telecommunications system. As this scenario makes clear, as long as one part of the communication is in storage and that part is accessed, no illegal interception will have occurred. This produces absurd results by effectively rendering the protection of communications passing over the telecommunications system useless as that same communication can be obtained by other, now lawful, means introduced by the SC Act.

By focusing on a specific issue and trying to adapt the provisions of the TI Act to the introduction of new technology Parliament has created a hole in the privacy safety net. The consequences of such action do not really need review as ultimately the result is reduced personal privacy in electronic communications.

Overtaking the need for government transparency

Where law enforcement agencies require access to a communications protected under the TI Act, application to a Judge or an AAT member for an interception warrant is required.[18] Regardless of the type of offence being investigated, the requesting agency must, among other things, convince the Judge or AAT member that an interception is necessary and that other methods of investigation have been used, or are available to that agency.[19]

By requiring an agency to seek alternative methods of investigation before an interception is permitted, the interception warrant process inherently has concern for a person’s privacy of communications, and the intrusiveness of interception, even when that person is a suspect in an investigation for offences such as murder or terrorism.[20] For lesser offences,[21] the TI Act requires that a Judge or a member of the AAT have regard to the extent to which a person’s privacy would be interfered with in issuing an interception warrant. Clearly, these considerations temper the power of law enforcement agencies by weighing up two competing needs – privacy and national security.

Counterbalances of this nature can also be found in State legislation controlling the use of surveillance devices which also requires a court to have regard to similar considerations required by interception warrants.[22] However, search and seizure warrants do not specifically require a magistrate to have regard to other methods of investigation or the impact of any interference of the suspect’s privacy in granting a warrant.[23] While such a process may be implicit in the magistrate’s decision making under State Acts, specific considerations are mandatory under the TI Act.

The TI Act also mandates specific record-keeping, reporting and inspection procedures to be complied with. The Minister must produce before each House of the Parliament annual reports detailing, among other things, relevant statistics in relation to interception warrants issued for the year. State government agencies are also required to report on, and keep records of interception warrant applications.[24] The Ombudsman or other government complaints authorities have the capability to inspect these records to ensure compliance on reporting procedures or on investigation of complaints.[25] These reporting mechanisms enforce transparency in government activities by promoting public scrutiny and inspection by independent parties of such activities.

One of the justifications presented by the government is the speed at which electronic communications can be destroyed, which has the effect of hampering investigations. The Australian Federal Police (AFP) submitted to the Senate Legal and Constitutional Committee that the amendments were required to streamline the process in obtaining access to stored communications, otherwise “...highly disposable and easily destroyed forms of evidence will be placed at risk.” However, as one MP noted, the current number of issued interception warrants stands at 3,058, “[s]o it is not as if these warrants are hard to get or are not being used by the relevant authorities.”[26] At best there is a perceived need that process improvements are necessary. As far as privacy is concerned, the arguments supporting the SC Act are less compelling and unless hard data is presented, permanent changes after the twelve-month period should be rejected.

Overtaking privacy in favour of corporate policies

The AFP’s submission is noteworthy in relation to corporate governance. The AFP also raised concern that the TI Act prevented the AFP, and arguably other organisations, in conducting “...protective corporate governance, particularly in relation to monitoring improper content in compliance with the AFP’s ‘acceptable use’ policy, and protecting AFP information systems from viruses.”[27] Such a proposition is astounding as no interception will take place under the TI Act, if an AFP member or staff has knowledge that the AFP will be monitoring their communications.[28] Where communications come to the AFP from external sources, the AFP may be in breach of the TI Act as a result of satisfying their organisation’s internal policies.

Organisations can still control the influx of harmful viruses without the need of the SC Act. As cautioned by the Labour party, in the Parliament’s “...eagerness to embrace some of these amendments in totality we do not want to end up in a situation where we throw the baby out with the bathwater.”[29] Unfortunately, the baby is out in the cold. In contrast, Parliament has not needed to change the TI Act to combat new technological threats such as spam, but has elected instead to implement specialist legislation to deal with unsolicited electronic commercial messages.[30]

Parliament has made provision in the Telecommunications Act 1997 (Cth) (Telco Act) to enable licenced carriers and services providers such as Telstra and Primus to use or disclose information where authorised by or under law.[31] These provisions address access needs such as information discovery in legal processes,[32] or procedures to be undertaken in the control of unsolicited commercial electronic messages.[33] Parliament could amend the Telco Act to allow licenced carriers and service providers to scan messages for harmful content on behalf of organisations, or address the need through the authorisation of industry codes developed by the telecommunications industry and registered by the Australian Communications Authority. Such a solution is preferable as licensed carriers and service providers are bound to accepted privacy principles which provide a solid and accepted framework in the processing of personally sensitive information.[34] Arguably, various provisions of the Telco Act would permit carriers and service providers to offer such services already.[35] Whatever the result, the resolution is less the concern of the TI Act and the Attorney General’s Department and is more appropriately managed within technological forums for consideration by the Department for Communications, Information technology and the Arts for legislative process under the Telco Act.

The difficulty in determining a stored communication

The case of United States v Councilman[36] illustrates the difficulty faced by a court in the determination of whether a communication is a stored communication. As this case makes clear, electronic communications exhibit a stored-transit dichotomy, a phenomenon of data communications such that either side could argue that a communication was in storage or in transit.

Facts

Bradford Councilman was the Vice-president of Interloc, a company whose primary business was an online listing service of rare and out-of-print books. Interloc was also an internet service provider and supplied email services to its client base, book dealers. Interloc’s system administrator devised a program designed to intercept, copy and store all messages sent from Amazon.com before being delivered to the book dealer’s email box. The process was designed to intercept messages before their delivery to the book dealer’s mailbox. As the email appeared to the book dealer as ‘unread’ even though Interloc had copied it, the book dealer was unaware that this process had taken place. Interloc employees read the copied emails seeking to gain competitive advantage.

Councilman was charged with conspiracy to intercept electronic communications, to intentionally disclose and use the contents of the unlawfully obtained communications under Title I of the Electronic Communications Privacy Act (Wiretap Act).[37] Councilman claimed any activities undertaken by Interloc in relation to the email were processed in “electronic storage” and therefore outside the Wiretap Act. The United States District Court found in favour of Councilman that the Wiretap Act did not cover electronic communications in “electronic storage”. The government appealed to the United States Court of Appeal. In a 2 to 1 decision, the United States Court of Appeal upheld the District Court’s finding.

The Law

The Wiretap Act prohibits the intercept of wire and electronic communications under certain conditions. A wire communication is any aural transfer made between a point of origin and reception over transmission facilities including the electronic storage of such communication. Electronic storage of a wire communication may take the form of a voicemail system. In contrast, electronic communications are only protected, in whole or in part, while in transmission.

The majority of the Court of Appeal held that Congress had not made express provision for protection of electronic communications in electronic storage as it had for wire communications and as such no interception had taken place. In finding that electronic communications were protected in the transfer of the communication and not while in storage, the clear intention of Congress was to give lesser protection to electronic communications than wire or oral communications.[38] The majority observed however, that the language of the Wiretap Act “...may be out of step with the technological realities of computer crimes.”[39] Specifically, the Court reflected on observations made by the trial judge in relation to the concepts of transfer and storage for electronic communications:

“[t]echnology has to some extent, overtaken language. Travelling the internet, electronic communications are often – perhaps constantly – both ‘in transit’ and ‘in storage’ simultaneously. A linguistic but not a technological paradox”.[40]

The processing technique used by Interloc involved the interception of emails still in transit for delivery to the recipient’s mailbox. The Court found however that as Congress had excluded stored messages from interception it did not matter whether a part a message was in transit, as long as any part of that message was in storage an illegal interception would not take place. Of more concern is the rationale of the Court in determining whether the emails were stored. It was agreed between the parties that the emails, when processed by Interloc, existed in the memory or the hard drives of Interloc’s computer system or both. As the emails were ‘stored’ albeit temporarily in memory or on hard drive, contemporaneous storage of the message while it was in transit was enough to void the protections offered by the Wiretap Act.

Review

The provisions of the SC Act contemplate some of the problems confronting the Court in the case of United States v Councilman.[41] First, under the SC Act a message that is still in transit would be considered a ‘live’ communication and hence, not stored. The fact that the message is temporarily both in memory and on the server’s hard drive would classify the message as momentarily buffered, a situation which results in a communication as falling within the TI Act.

Difficulties arise in situations where the message has been delivered but not accessed or read by the user. Arguably, the SC Act contemplates that such a message is a stored communication. However, the delivery of electronic communications such as email is on a store-and-forward basis, that is, the communication will be stored in a number of temporary mailboxes until it can be delivered to its final destination. At what point in time does an email communication become stored when it exhibits this store-and-forward behaviour. The time period between a store and the next forward may not be short enough to be classified as “highly transitory”, but is nevertheless in transit and enroute to its final destination.

Perhaps the most radical change brought about by the SC Act is its effective deconstruction of the boundaries of the telecommunications system, as that term is defined in the TI Act. These boundaries are conceptual in nature and do not necessarily translate to a physical boundary, such as the end of a telephone line or a data connection. Rather, the main focus of the SC Act is to separate a communication passing over a telecommunications system from one that is a stationary or stored communication. The SC Act does not identify any physical boundary, as it is indeed possible for a stored communication to exist on a server within the telecommunications system, for example, on a carrier’s email, SMS or voicemail server. However, one cannot ignore the application of technology and its effect on the status of a communication. Such conundrums may now be presented for resolution by Australian courts.

Conclusion

The spectre of terrorism and organised criminal activity is as alive in our minds today as the threat of invasion, espionage or subversion by communist elements was to the Australian people in 1960. Prior to the SC Act, the TI Act put in place limits on the power of law enforcement agencies to interfere with personal privacy. Where interceptions took place, reporting and statistics were in place to reveal the scale of agencies activities for scrutiny by the Australian public.

Broad protection for communications privacy has been the fundamental basis of interception legislation in Australia for nearly half a century. Effective safeguards are in place to balance national security and personal privacy. These established safeguards should not be discarded when it becomes convenient to do so with the introduction of new technologies. Fortunately, Parliament did not succumb to the elimination of personal privacy rights in 1960 or in 1979 to the benefit of enforcers of national security. There is a temporary departure from these solid privacy foundations. Hopefully, after the return to normality on the expiration of the twelve-month period, Parliament will not continue to wear holes in the privacy safety net without proper engagement of the community and evaluation after formal public debate.

Bradley Holland B.Eng(Hons), JD is a practising solicitor and is with Telstra Corporation Limited

The views and opinions expressed by the author are personal views and opinions and are not necessarily those of Telstra Corporation Limited

[1] Media Release, 079-2004, “Telecommunications Interception Powers Strengthened” , 27 May 2004.

[2] Parliamentary Debates, House of Representatives, 8 December 2004, Robert McClelland (Barton), Shadow Minister for Defence and Homeland Security, 48.

[3] Above n 1.

[4] Parliamentary Debates, House of Representatives, 5 May 1960, Sir Garfield Barwick (Parramatta), Minister for External Affairs and Attorney-General, 1425.

[5] Ibid.

[6] Telecommunications and Postal Services (Transitional Provisions and Consequential Amendments) Act 1989 (Cth), s 38.

[7] Interception warrants are issued under Telecommunications (Interception) Act 1979 (Cth), pt VI.

[8] Explanatory Memorandum, Telecommunications (Interception) Amendment (Stored Communications) Bill 2004, 3-4.

[9] Ibid, 4.

[10] Parliamentary Debates, House of Representatives, 8 December 2004, Malcolm Turnbull (Wentworth), 50.

[11] Telecommunications Interception Legislation Amendment Bill 2002 (Cth); Telecommunications (Interception) Amendment Bill 2004 (Cth).

[12] Above n 2, 48.

[13] Telecommunications (Interception) Act 1979 (Cth), pt XA.

[14] Crimes Act 1914 (Cth), pt 1AA, Div 2.

[15] Ibid, s 15ID.

[16] Ibid, s 3M.

[17] Telecommunications (Interception) Act 1979 (Cth), s 107A(7).

[18] Ibid, div 4.

[19] Ibid, ss 45(e)(i), 45A(e)(i), 46(2)(d) and 46A(2)(d).

[20] These type of offences are defined as ‘class one’ offences under section 5 of the Telecommunications (Interception) Act 1979 (Cth).

[21] These type of offences are defined as ‘class two’ offences under section 5D of the Telecommunications (Interception) Act 1979 (Cth).

[22] Surveillance Devices Act 1999 (Vic), s 17(2).

[23] Crimes Act 1914 (Cth), s 3E(1); Crimes Act 1958 (Vic), s 465; Search Warrants Act 1985 (NSW), s 6.

[24] Telecommunications (Interception)(State Provisions) Act 1988 (Vic), pt 2; Telecommunications (Interception) Act 1988 (SA), ss 4 to 7; Telecommunications (Interception) Act 2001 (NT), pt 2.

[25] Telecommunications (Interception)(State Provisions) Act 1988 (Vic), pt 3; Telecommunications (Interception) Act 1988 (SA), s 8; Telecommunications (Interception) Act 2001 (NT), pt 3.

[26] Parliamentary Debates, House of Representatives, 8 December 2004, Daryl Melham (Banks), 51.

[27] Australian Federal Police, “Senate Legal and Constitutional Committee Inquiry into the provisions of the Telecommunications (Interception) Amendment (Stored Communications) Bill 2004”, undated, 2.

[28] Telecommunications (Interception) Act 1979 (Cth), s 6(1).

[29] Above n 26, 53.

[30] Spam Act 2003 (Cth).

[31] Telecommunications Act 1997 (Cth), s 280.

[32] In Application of Telstra Corporation Limited [2000] FCA 682.

[33] Telecommunications Act 1997 (Cth), 113(q)(i).

[34] Privacy Act 1988 (Cth), sch 3 and Telecommunications Act 1997 (Cth), pt 13.

[35] Telecommunications Act 1997 (Cth), ss 3(c), 3(d), 3(h) and 3(j).

[36] 245 F.Supp.2d 319, 321 (D.Mass 2003), decision affirmed United States of America v Councilman, [2004] USCA11 99; 373 F.3d 197, 204 (1^st Cir. 2004).

[37] 18 U.S.C. § 2511.

[38] With the enactment of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act 2001 (the USA Patriot Act), wire communications are no longer protected while in electronic storage.

[39] United States of America v Councilman, [2004] USCA11 99; 373 F.3d 197, 204 (1^st Cir. 2004).

[40] United States of America v Councilman, 245 F.Supp.2d 319, 321 (D.Mass 2003).

[41] 245 F.Supp.2d 319, 321 (D.Mass 2003), decision affirmed United States of America v Councilman, [2004] USCA11 99; 373 F.3d 197, 204 (1^st Cir. 2004).