AFP backs proposed guidelines for website blocking

The Australian Federal Police has put its support behind a Communications Department-led proposal to introduce whole-of-government guidelines for blocking websites as part of law enforcement efforts.

The guidelines seek to ensure transparency and accountability over agencies using section 313 of the Telecommunications Act to request that carriers and service providers block certain websites deemed to be involved in criminal activities.

The section of the Act has been in place for around 15 years, but agencies - specifically the AFP, ASIC and another within the Attorney-General’s Department which has been kept secret for “national security reasons” (widely believed to be ASIO) - only started using the provision regularly in 2012.

Section 313 came under the spotlight after the Australian Securities and Investments Commission last year admitted it inadvertently blocked 250,000 websites in an effort to block just 1200 - a result of being ‘unaware’ a single IP address could host multiple websites. The error led to the establishment of a parliamentary inquiry into the use of the section.

In response to the criticism of ASIC’s error, the Communications Department has floated ways to improve transparency of the practice with a set of minimum requirements and recommended procedures, which would apply to all federal agencies using the section.

The department suggested agencies:

• develop specific internal policies outlining their procedure for requesting site blocking
• seek a one-off clearance from their agency head or minister to block websites prior to implementing a services disruption policy
• ensure that service disruption is limited to a specific criminal activity
• consult across government and the telco industry to ensure the technical measures outlined in service disruption policies are “effective, responsible and appropriate”
• use stop pages on blocked websites where appropriate to identify who requested the block, why it was requested, a point of contact, and how to seek a review of the block
• have internal review processes in place to quickly review or lift a block
• publicly announce each instance of a site block where appropriate, and
• report site blocking to the ACMA, or to the appropriate parliamentary committee

According to the Communications Department, 32 requests over the last two years have been made to block websites - 21 by the AFP, ten by ASIC, and a single request by the unnamed agency.

It did, however, point out that agencies are not obligated to report on their use of the provision.

The department said it saw no problem with agencies continuing to be responsible for issuing their own section 313 notices once the guidelines are implemented.

The department also suggested that site blocking be limited to instances involving serious criminal activity or threats to national security - specifically those carrying a maximum prison sentence of two years, or equivalent financial penalty.

“Each agency is taking their own approaches, and we’re proposing that there be clear guidelines that particular agencies essentially provide information about how they are using the section,” deputy secretary Ian Robinson told a parliamentary hearing into section 313 today.

“One of the problems with the current regime is that there isn’t any public reporting of the number of requests,” assistant secretary of the consumer protection branch Rohan Buettel added.

“Over two years as far as we are aware there were only 32 requests, but I think there is an acceptance that there is a problem with the accountability of public reporting.”

When questioned on how the public could be assured website blocking was not done ‘frivolously’ given the current lack of transparency, Buettel said it was a “very big thing to block a website on the internet”.

“I don’t think in practice any government agency would go ahead and do it without giving some detailed consideration to the particular matter and properly investigating it.”

Representatives from the Australian Federal Police supported the proposed guidelines and said a whole-of-government approach could have prevented the inadvertent blocking of 250,000 websites by ASIC.

National manager of the AFP’s high-tech crime operations Glen McEwen and deputy commissioner of close operations support Kevin Zuccato said while the existing legislation was effective, there was an obvious need to improve transparency of its use.

They stressed that site blocking was only one factor in a range of strategies used to combat - in the AFP’s case - child exploitation online.

“It’s not like we block a site, high-five one another and move along,” Zuccato said. “Blocking of a site is one measure we put in place to ensure people are not defrauded or [able to] view images of children being abused.”

McEwen said ensuring the technological capabilities and knowledge required to block sites effectively were available across the whole-of-government would help prevent a repeat of the ASIC error.

“It’s a question of ensuring due dilligence,” Zuccato said. “If you’ve got a domain name, before you ask someone to do something about it, make sure you’re asking the right questions and what you’re asking is not going to cause a problem.

“We’ve got procedures in place with Interpol for when we block sites on the 'Worst Of' list to ensure we don’t make a mistake.

“And the good thing about the fact that something did go wrong [with ASIC] is we’ve learnt those lessons and we can put protocols in place to ensure it doesn’t occur again.”