The government has released guidelines for Commonwealth agencies that employ Section 313(3) of the Telecommunications Act to request ISPs’ assistance to disrupt illegal online services.
The use of Section 313 came to prominence after the Australian Securities and Investments Commission (ASIC) in 2013 issued notices to a number of ISPs requesting that they block their customers from accessing IP addresses associated with several fraudulent websites.
However, the organisation did not realise that a single IP address could be shared by multiple websites. When ISPs complied with ASIC’s Section 313 notice, hundreds of thousands of unrelated websites were also blocked.
The Australian Federal Police has used Section 313 to attempt to slow the spread of malware by blocking command and control servers. The AFP is understood to agency to have most frequently employed the power.
The AFP has primarily used Section 313 notices as part of its Access Limitation Scheme to request ISPs block access to INTERPOL’s ‘Worst of List’ of websites that host child abuse material. Last year, 2021 domains were added to the ALS list.
In the wake of the ASIC incident, a parliamentary inquiry scrutinised the wide-ranging power given to government agencies by the section of the Telco Act.
Section 313 of the act obliges telcos to “give officers and authorities of the Commonwealth and of the States and Territories such help as is reasonably necessary” for “enforcing the criminal law and laws imposing pecuniary penalties”, “assisting the enforcement of the criminal laws in force in a foreign country”, “protecting the public revenue”, and “safeguarding national security”.
The report of that inquiry, published in June 2015, rejected calls to limit the organisations able to employ Section 313 and the circumstances in which they can employ it.
However, one recommendation made by the inquiry, and accepted by the government, was that whole-of-government guidelines be developed in an effort avoid future ASIC-style debacles.
In April 2016, the government finally released draft guidelines on the use of Section 313. The lengthy delay between the issuing of the draft and today’s release of the final guidelines led ASIC to work on its own internal guidelines, which it said it would base on government’s draft.
The new guidelines offer a collection of “good practice measures” for federal government agencies, though state and territory agencies are encouraged to apply them too.
Agency head approval should be obtained to use Section 313(3), and agencies should develop internal policies and procedures for disruption requests, the guidelines state.
Individual requests for disruption should be authorised by an appropriate officer at the level of senior executive service officer or equivalent.
Where possible an agency’s policies and procedures should be made publicly available, the guidelines say.
Agencies “should limit disruptions to cases involving serious criminal or civil offences, or threats to national security”, with the guidelines offering the example of offences with a maximum prison term of at least two years or a financial penalty of at least $25,200.
One change in the final guidelines is that the likely effectiveness of an ISP-based website-block for disrupting a service should be considered before issuing a Section 313 notice.
The guidelines state that where possible, agencies should publish details of each web-blocking request. Agencies should also, where appropriate, provide a ‘stop page’ that ISPs can display and include details such as the reason for the block and an agency point of contact.
Finally, agencies should establish review and complaints procedures, the guidelines state.
The section on technical implementation has seen the most substantial alteration between the draft and final version of the guidelines, in an effort to avoid potential problems with IP address-based blocking.
The draft recommended that when making a request, agencies should endeavour to make it as targeted as possible.
“This usually means requesting that a Uniform Resource Locater (URL)—the specific address of a website—be blocked, rather than Internet Protocol (IP) addresses,” the draft stated. “IP addresses generally host multiple websites, requests to block these risks disrupting access to non-target websites.”
“Agencies should note that ISPs use different methods to block websites and when making a request, agencies should endeavour to make it as targeted as possible and consider the method used by the ISP,” the final version of the guidelines warns.
“This will usually mean requesting that a Domain Name System (DNS) and/or Uniform Resource Locater (URL)—the specific address of a website—be blocked, rather than Internet Protocol (IP) addresses. Requests to block IP addresses risks disrupting access to non-target websites as IP addresses generally host multiple websites.”