Baker & McKenzie, an Australian Partnership, is a member firm of Baker & McKenzie International, a...

Baker & McKenzie, an Australian Partnership, is a member firm of Baker & McKenzie International, a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organisations, reference to a "partner" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm.© 2012 Baker & McKenzie

Internet regulation against cybercrime

Pros and cons of more regulation

Patrick Fair, Partner

Anne Petterd, Special Counsel

Thursday 20 September 2012

NSW Society for Computers & the Law

© 2012 Baker & McKenzie

Introduction


Introduction

– Approaches to regulating cybercrime and internet offences Just passed: Cybercrime Legislation Amendment Act

2012 In process: Defence Trade Controls Bill 2011

– To come? Law reforms flagged in July 2012 AGD discussion paper Equipping Australia Against Emerging and Evolving

Threats

3


Issues raised by cybercrime laws

Arguments against Arguments for

• Difficult to be technology neutral / future proof

• Effectiveness / practical• Invasion of privacy • Lack of appropriate constraints on

law enforcement monitoring powers

• Onerous implementation / Compliance obligations

• Keeping in-step with like-minded countries / compliance with treaty obligations

• Protection of consumers and business from cybercrime

4


Cybercrime Legislation Amendment Act


Cybercrime Legislation Amendment Act

– Passed 22 August 2012

– Commencement

– Amends Telecommunications (Interception and Access) Act 1979 (TIA

Act) Criminal Code Mutual Assistance in Criminal Matters Act 1987 Telecommunications Act 1997

– Main purpose Facilitate Australia’s accession to the Council of Europe

Convention on Cybercrime

6


Domestic preservation orders

– Historic domestic preservation notice Carrier to preserve all stored communications it holds on

a day and receives up to the end of the day

– Ongoing domestic preservation notice Carrier to preserve all stored communications it holds on

the day and receives up until the end of the 29th day

– How long must communciations be preserved?

7


Foreign preservation order

– Carrier to preserve all stored communications it holds from receiving the notice to the end of the day

– AFP issues notice upon receiving a compliant mutual assistance request– Reasons why preservation needed

– Connection to relevant serious foreign contravention

– Rules for revoking notice– 180 days elapsed without a request for access

– AG refuses mutual assistance request

– Mutual assistance request withdrawn

8


Preservation orders compared to access

– Preserves communications Still need to apply for warrant to access communications

– Agencies have broader scope in preserving than accessing information Agency may be aware stored communications relating to a

person exist, but not which CSP / carrier holds those communications

Agency needs reasonable grounds for suspecting there are / might be stored communications that might assist in the investigation

9


Preservation order considerations

– Potential for wild goose chases given lower standard to satisfy than to access communications?

– Increased burden on telcos

– Preserving information securely Confidentiality Integrity of information

– Foreign orders Ensuring compliance with conditions

10


Criminal Code Amendments

– Remove the limitation that computer offences only apply to conduct involving Commonwealth computers, Commonwealth data or use of a carriage service

– Part 10.7 Computer Offences Repeals definition and references to “Commonwealth

computer” in offence provisions Deletes requirement that unauthorised access etc be

caused by a carriage service (s 477.1(1)(b)

11


Reason for amendment

– Meet convention requirements to establish as a criminal offence Access to a computer system without a right Interference with data without right Interference with functioning of a computer system

without a right

– Expect increase in prosecutions?

12


Defence Trade Controls Bill


Defence Trade Controls Bill

– Introduced November 2011

– Not cybercrime legislation as such Attempts to apply Australian export controls for tangible

subject-matter to intangible subject-matter

– Intended to bring Australia into line with other countries regulating intangible transfers of controlled subject-matter Subject-matter of a type listed on the Defence Strategic

Goods List Military use and dual-use sections to the list

14


Current law

Current export controls only regulate tangible transfers

–High-end controlled encryption software loaded on a machine requires a permit for export. Internet download or email of same software overseas does not currently require a permit

–A manual containing controlled subject-matter requires a permit to be exported in hardcopy, but no permit is required if emailed overseas

15


Proposed regulation of intangible transfers

– A permit will be required to supply controlled technology regardless of form By a foreign person in Australia to a foreign person

outside Australia By an Australian person to a foreign person – regardless

of where located

– Note: tests may change before the Bill is passed

16


Proposed regulation of services

– A permit will be required to provide services relating to controlled goods or technology Where services are provided by an Australian person

and received outside Australia by a foreign person Where services are received in Australia by a foreign

person – regardless of who is the provider

– Note: tests may change before the Bill is passed

17


Issues raised by the proposed laws

– “Australian person” and “foreign person” Knowing who you are emailing to

– Knowing whether what you are emailing is controlled Some technical expertise required to interpret the DSGL Does an exception apply?

– Navigating Criminal Code extended jurisdiction categories – section 15.2

– General lack of business awareness of current export controls?

– Monitoring compliance?

– Employment discrimination concerns

18


Impacted industries and activities

– Research bodies

– Universities Foreign students Overseas courses

– Pharmaceutical, biotechnology and nanotechnology industries

– Off-shore delivery centres

– Transfers within a corporate group

– Cloud computing?

– Defence industries

19


Current status

– Nov 11 referred to Senate Standing Committee on Foreign Affairs, Defence and Trade

– Universities actively involved

– Preliminary report 15 August 2011 Critical of limited consultation More investigation on implications Some changes expected

– Final report 31 October 2012

20


Emerging Threats Discussion Paper


Outline

– What is in the paper?

– What did submitters say about the key issues?

– What is the committee process?

22


What is in the paper? (1)

– Review privacy framework within the Telecommunications (Interception and Access) Act: privacy objects to be inserted

– More specific technical requirements to protect information and infrastructure: mandated enforceable security requirements

– Extending the interception regime to social networking and cloud providers: record keeping and interception for webmail, twitter, instagram etc.

– A tiered model with a sliding scale of interception and delivery capability depending on the size of the provider: new framework for interception requirements

23


What is in the paper? (2)

– Retention of current information and assistance to agencies to decrypt information: new data retention regime, decryption obligations

– Clarify the role of the ACMA and industry standards, expanding the range of regulatory options available to the ACMA: more enforcement

– Establish a risk based regulatory framework: need to see quantification of risk to understand what this might look like

– All C/CSPs to protect their infrastructure and the information held on it or passing across it from unauthorised interference: need more information on what these requirements might involve

24


What is in the paper (3)

– C/CSPs to provide Government with information to assist in the assessment of national security risks to telecommunications infrastructure on request: issues of cost recovery, compensation and the cost of maintaining the capacity to assist.

– Compliance framework based on C/CSPs demonstrating competent supervision and effective controls over their networks. C/CSPs to demonstrate compliance to Government on request (compliance assessments and audits): audit and reporting requirements.

25


A quote from page 26

– “The requirements are aimed at ensuring that agencies keep appropriate records necessary to demonstrate that they are using their powers lawfully. However, many of the requirements reflect historical concerns about corruption and the misuse of covert powers and do not reflect the current governance and accountability frameworks within which agencies operate”

– ?!

26


What did submitters say about key issues?

– paper lacks detail

– paper lacks evidence to demonstrate proportionality of measures being proposed

– concern about the cost of network and information protection measures

– concern about how increased costs and requirements will impact existing and long term contracts

– concern about the costs of data retention requirements

27


What did submitters say about key issues? (2)– concern about the risk to privacy of large amounts of

personal data being retained

– concern about the costs of data retention requirements

– concern about the risk to privacy of large amounts of personal data being retained

– who will bear the risk of data breach?

– a better approach to some issues may be industry cooperation via a code of practice

28


Composition of the PJCISHon Anthony Byrne MP (Chair) Australian Labor Party, Member for Holt (Vic)

Hon Philip Ruddock MP (Deputy Chair) Liberal Party of Australia, Member for Berowra (NSW)

Senator Mark Bishop Australian Labor Party, Senator for Western Australia Senator the Hon George Brandis SC Liberal Party of Australia, Senator for Queensland

Senator the Hon John Faulkner Australian Labor Party, Senator for New South Wales

Senator the Hon David Johnston Liberal Party of Australia, Senator for Western Australia

Senator the Hon Ursula Stephens Australian Labor Party, Senator for New South Wales

Mr Michael Danby MP Australian Labor Party, Member for Melbourne Ports (Vic) Mr John Forrest MP The Nationals, Member for Mallee (VIC)

The Hon Kevin Rudd MP Australian Labor Party, Member for Griffith (Qld)

Mr Andrew Wilkie MP Independent, Member for Denison (Tas)

6 Labor, 3 Liberals, 1 National and 1 Independent

29


Next steps?

– PJCIS is meeting on 26 and 27 September in Sydney

– May be meeting again in Canberra (TBA)

– No reporting date set in terms of reference.

30

Baker & McKenzie, an Australian Partnership, is a member firm of Baker & McKenzie International, a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organisations, reference to a "partner" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm.© 2012 Baker & McKenzie

Questions and discussion

Baker & McKenzie, an Australian Partnership, is a member firm of Baker & McKenzie International, a...

Documents

Transcript of Baker & McKenzie, an Australian Partnership, is a member firm of Baker & McKenzie International, a...