ASIC admits to lack of technical knowledge in s313 use

Australia’s corporate regulator ASIC has pushed for the continued ability to use section 313 notices to block websites, despite revealing it ‘wasn’t aware’ a single IP address could host multiple websites when it inadvertently blocked 250,000 websites last year.

The Australian Securities and Investments Commission in 2013 admitted that in attempting to block 1200 websites using the section 313 notice, it had accidentally turned off 250,000.

In a submission today to the parliamentary inquiry investigating the use of the controversial section of the Telecommunications Act, ASIC lobbied for the continued ability to block websites.

“Our experience using s313 to block websites indicates that it is a useful measure for disrupting investment frauds and warning Australian investors that the investment being offered is not legitimate.

However, our use of s313 has also highlighted the risk that other websites may be inadvertently blocked in the process.” 

- ASIC's submission to the inquiry into s313

It specifically referenced a case in April last year when it requested several internet service providers block a number of IP addresses after ASIC became aware a “serial fraud offender” had begun operating two fraudulent websites.

The agency was later advised that one of the IP addresses hosted 1090 websites, including that of Melbourne Free University, which had been inadvertently blocked as a result of the ASIC request.

ASIC conducted an internal review after realising its section 313 requests could catch other websites, and found the teams charged with requesting the blocks were not aware that one IP address could host multiple websites.

It identified that to avoid a repeat occurrence, the responsible ASIC team would need to work better with other internal ASIC teams and ISPs to ensure blocks only affect the targeted website.

ASIC said it had not made an s313 blocking request since the April issue.

“ASIC’s current approach is to request voluntary suspension of any fraudulent websites and domain names through correspondence to the hosting ISP and domain name registry. ASIC will also consider issuing a consumer alert or public warning notice.

“ASIC will consider re-using s313 following appropriate consultation with other relevant agencies such as the Australian Federal Police (AFP) and with the telecommunications carriers.”

The regulator has traditionally used the notice to block websites linked to investment scams.

It suggested s313 be available to those government agencies able to access communications data under the TIA Act, and that agencies using the provision should continue to be responsible for authorising their own notices.

“However, the level of authorisation required within each agency is an important accountability measure and must be limited to an appropriate number of senior staff. Again, the level of authority required needs to be balanced against the ability for the agency to take timely action once an illegal website is detected.”

It is “critical” that ASIC has a tool such as s313 notices to disrupt investment frauds, the agency said, given the difficulties in doing so specifically with overseas-based fraudsters coupled with the expected growth in risk of investment fraud over the next 20 years.

The regulator said it supported improving the transparency and accountability of how the website blocking notices are used, and gave its support for seven whole-of-government principles governing the use of the section previously floated by the Department of Communications.

The principles include:

• agencies being transparent and only blocking websites where there is a “strong and demonstrable” public benefit;
• restricting content blocking to material representing serious criminal activity or a national security threat;
• the development of clear blocking policies approved by a relevant Minister;
• consultation with relevant agencies and ISPs on effective and responsible blocking prior to use of the notice;
• the specification of which senior officers within an agency can request blocks as well as an outline of internal review processes against appeals to website blocks;
• a public announcement in appropriate circumstance of the block request; a notification page displayed on the blocked website informing users of what has occurred, and
• a list to be maintained by the Australian Communications and Media Authority (ACMA) of the agencies using the section.