ISPs must keep some data under new law

Australian telcos will soon be required to retain customer traffic data under a new law proposed to allow Australia to accede to the Council of Europe Convention on Cybercrime.

The Council of Europe Convention on Cybercrime is a treaty designed to foster cooperation and common policy between nations for dealing with multi-national crimes committed on computer networks across the globe such as online fraud or child pornography offences. It has been in place since 2004; however, the Australian Government first flagged its intention to become a signatory to the treaty in May 2010, releasing a discussion paper on the convention in February 2011.

In its report handed down to Parliament yesterday (PDF), the joint committee on treaties said that privacy concerns raised about internet service providers (ISPs) being required to retain all email and communication information from customers under the convention were addressed as part of the Convention itself, and would be covered under Australian legislation.

"The Convention itself does ... contain guarantees for human rights protection and judicial review, and there is reason to be confident that these protections will be enforced: the framework of domestic law effected by Australia's accession to the Council of Europe Convention on Cybercrime provides robust privacy safeguards and accountability mechanisms," the report said.

According to the Attorney-General's Department, the convention will require ISPs to preserve email and other communication data for users that law enforcement agencies are investigating for criminal activities.

"In some cases that may be as small as one text message, in other cases it might be two months worth of emails. It'll differ depending on the case," Catherine Smith, assistant secretary in the telecommunications and surveillance law branch of the Attorney-General's Department, told a committee hearing in March.

The actions would be targeted, according to Smith, and ISPs would not be required to keep all data on all users under the convention, as had been suggested.

ISPs already keep data on users for various lengths of time; however, this would regulate under what circumstances and for how long they need to hold information in case law enforcement requires it.

The committee recommended that the government accede to the convention, but raised concerns over a lack of transparency from the government while it was investigating the treaty. The committee has subsequently recommended that the government report to the committee on any potential legislative changes that need to be made in order to accede to the convention.

According to the committee's report, the following pieces of Commonwealth legislation will need to be changed:

• the Criminal Code Act 1995 will need to have computer offences expanded;
• the Mutual Assistance in Criminal Matters Act 1987 and the Telecommunications (Interception and Access) Act 1979 will need to be changed to allow law enforcement to require ISPs preserve and collect traffic data and stored computer data at the request of another country; and
• the Copyright Act 1968 will have to be expanded to cover extended jurisdiction obligations in the convention.

The Attorney-General's Department today told ZDNet Australia that these laws will be amended under the Cybercrime Convention Amendment Bill 2011, which the government is planning to introduce in the winter sittings of parliament.

Attorney-General Robert McClelland welcomed the findings of the report yesterday.

"This recommendation is an important step towards Australia acceding to the Convention, which will enhance international cooperation whilst providing Australian agencies with necessary tools to combat cybercrime," McClelland said in a statement.

"It criminalises certain types of conduct committed via computer networks and contains a series of powers and procedures such as the search of computer networks and interception."