Reckless Oz regulator runs roughshod over rights

Summary:The Australian Securities and Investment Commission censored a website it alleges was part of a scam — plus 1,200 others as collateral damage. An apology is nowhere near enough.

Ladies and gentlemen, may we please have a slow hand clap for the Australian Securities and Investment Commission (ASIC)? It wrongly killed access to more than 1,200 presumably innocent websites for over a week — and for many of the organisations and individuals who owned them, email would have also ceased to flow. Without an explanation to any of them.

Now, I don't want to be a smug so-and-so and say we told you so — but we did. When the Australian government decided to use a creative interpretation of communications law to "volunteer" internet service providers (ISPs) to block access to child pornography, critics warned of the potential for scope creep, and the censorship of less heinous websites. And that's exactly what we have here.

So, what's happened?

Two years ago, when the government's plan to introduce new laws to force all ISPs to censor the internet on its behalf had clearly become a political liability, it came up with another idea. Following negotiations with major ISPs and the Internet Industry Association (IIA), a voluntary code was introduced, under which participating ISPs would block access to a list of internet domains that hosted "severe child sexual abuse content" compiled by Interpol.

No new laws would be needed. Instead, it would use Section 313 of the Telecommunications Act 1997, which requires telcos to provide help to "officers and authorities of the Commonwealth and of the states and territories" in matters of enforcing the criminal law and laws imposing pecuniary penalties; assisting the enforcement of the criminal laws in force in a foreign country; protecting the public revenue; and safeguarding national security.

The archetypical uses of this law are things like preventing the terrorist making the phone call that triggers the bomb, or preventing a criminal from being warned that the police have him surrounded — or, conversely, patching through a phone call to the gunmen in a hostage situation. Such uses are presumably uncontroversial. Lives might be at stake.

Using this law to implement the Interpol blacklist was novel. ISPs that volunteer to take part are asked by the Australian Federal Police (AFP) to implement the filtering, giving them legal immunity.

However, the Interpol blacklist consists of domains that have been confirmed by two independent law enforcement agencies to be hosting the really nasty stuff. Anyone whose access is blocked is redirected to a web page explaining why, and describing the process they should follow in case it's a mistake. Blocking the communication of child pornography should also be uncontroversial.

But if Section 313 sounds wide ranging, that's because it is, and its use by ASIC is rather different.

"ASIC has warned consumers about the activities of a cold-calling investment scam using the name 'Global Capital Wealth' ... The scammers offer consumers opportunities to invest in a managed share trading fund," it wrote in a media release dated March 22.

"The scammers operate websites at www.globalcapitalwealth.com and www.globalcapitalaustralia.com, which purport to provide share trading services. ASIC has already blocked access to these websites.

"ASIC's concern is that the scammers, via their websites, promotional material, and cold calling, appear to be fraudulently using the Australian business number (ABN), Australian company number (ACN), and Australian financial services (AFS) licence number of Global Capital Resources Pty Ltd, a licensed financial services business with no connections to Global Capital Wealth."

Life and limb are not under threat here, nor are young children being abused. The only risk is about money — and, even then, the only people at risk are those too greedy or too stupid to realise that the deals being offered are too good to be true. That's quite a bit of scope creep — especially since ASIC only has "concern" about what the sites "appear" to do.

ASIC made the mistake of requesting that access be blocked to the sites' internet protocol (IP) address. More than 1,200 other sites used the same address — a common situation with commodity-grade shared internet hosting. That ASIC didn't know this demonstrates a fundamental ignorance of how the internet works. It's like putting road blocks around an entire suburb because one shop is selling dodgy merchandise. And the problem was compounded by not providing an explanatory web page.

This isn't a random oopsie. This is a complete cock-up. To call ASIC's effort "ham fisted" would be an insult to people whose fists are actually made of ham.

"The government is working with enforcement agencies to ensure that Section 313 requests are properly targeted in future," said a spokesperson for Communications Minister Senator Stephen Conroy yesterday. Good. But it's not enough. Nowhere near enough.

One of ASIC's key responsibilities is ensuring that Australians are protected from dodgy and reckless business operators. And yet, in the operation of its own "business" of serving the Australian people, ASIC has acted recklessly. It disrupted the communications of more than 1,000 individuals and organisations that were going about their lawful business — and to me, that sounds like a crime under other sections of the Telecommunications Act.

If a crime's been committed, we need an investigation and a head on a spike. Those affected should be compensated. And we should take a closer look at what Section 313 really means in the internet age.

Topics: Australia, Government : AU, Legal

About

Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust. He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit tr... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.