New ASIC guidelines for web blocking awaiting legal sign-off

Guidance for Australian Securities and Investments Commission staff on the use of Section 313 (3) of the Telecommunications Act to block Australians' access to particular websites or online services are currently in draft form and awaiting sign-off from ASIC’s legal office, some 10 months after the government issued whole-of-government guidelines.

The ASIC s313 guidelines are expected be approved shortly and could be released within a month, Computerworld understands.

Under the section of the Telco Act, telecommunications providers must “give officers and authorities of the Commonwealth and of the States and Territories such help as is reasonably necessary” for “enforcing the criminal law and laws imposing pecuniary penalties”, “assisting the enforcement of the criminal laws in force in a foreign country”, “protecting the public revenue”, and “safeguarding national security”.

The authority of the act has been used by government agencies including ASIC and the Australian Federal Police (AFP) to issue notices to Internet service providers (ISPs) requesting that they block their subscribers from accessing certain websites.

The AFP has primarily used the power to block access to child exploitation material but it has also employed s313 to block the spread of malware.

ASIC’s use of s313 has focused on blocking websites associated with fraud. The commission has used s313 at least 10 times to block websites – and on one occasion issued a request for an IP-based block that mistakenly led to some Australian Internet users being unable to access around 250,000 unrelated sites.

Outcry in the wake of that incident led to a 2014 parliamentary inquiry into the use of the power. The report of the inquiry by the Standing Committee on Infrastructure and Communications, released in mid-2015, rejected suggestions to narrow the scope of s313 or impose restrictions on its use.

The June 2015 report from the committee said that narrowing the range of agencies that could use the power would be “unnecessarily restrictive.”

The committee also concluded that limiting the offences against which s313 could be employed would be “unnecessary and overly restrictive”.

“The Committee supports the concept of s.313 being a broad and flexible mechanism for responding to changing circumstances in the online environment,” the report said.

However, the committee did recommend that the government develop whole-of-government guidelines in order to reduce the risk of unintentional blocking of web services and to increase transparency around the use of s313.

Although the federal government accepted the recommendation, it wasn’t until April 2016 that draft guidelines were released for consultation. In July 2017, a final version of the guidelines was published.

The guidelines, which don’t apply to state and territory agencies, recommend a range of measures to limit unintentional disruption of online services, including agencies developing internal policies and procedures for disruption requests.

Under the guidelines, agencies should only request the disruption of access to services to cases that involve “serious criminal or civil offences, or threats to national security”. The document gives the example of offences with a maximum prison term of at least two years or a financial penalty of at least $25,200.

The guidelines recommend that where possible an agency’s policies and procedures should be made publicly available, and Computerworld understands that ASIC intends to publish its s313 guidance for staff on its website once it is finalised.