When the Australian Securities and Investments Commission's (ASIC) senior executive leader for financial services Tim Mullaly underwent a grilling from Greens communications spokesperson Scott Ludlam in a Budget Estimates hearing earlier this week over the agency's use of a, until recently, relatively dormant power in the Telecommunications Act to block hundreds of thousands of websites, he was at pains to point out that ASIC merely made "requests" — via fax machine — to ISPs to block those websites.
"I clarify that it was a request made. We do not serve notices. It is a request made," Mullaly told the Greens senator.
"But it is pursuant to the law of the land. It is a fairly uncompromising request," Ludlam replied. "You are not asking nicely; you are saying, 'You are legally obliged to block this content.' Right?"
Mullaly responded that the reading of Section 313 of the Telecommunications Act is such that the carriers have to give "reasonable assistance".
"They have the ability to consider whether or not it is reasonable assistance and they could come back to ASIC or to any other requester and raise an issue with us."
ZDNet has confirmed with senior executives within some of Australia's ISPs that they will assess each request from government agencies before enacting the block, but, as Mullaly said at the hearing, no ISP has so far rejected any request from ASIC to block a website.
But the mere act of compliance from the ISPs that ASIC asked to block websites has already led to at least two instances of thousands of websites being blocked by accident.
In the largest known instance in March, ASIC's request seeking to block an investor fraud website accidentally took out 253,000 websites. ASIC 's deputy chairman Peter Kell downplayed this by stating that 99.6 percent "contained no substantive content", and were essentially domain-squatting sites. Around 1,000 active websites were affected, he said.
While Kell has said that they were mere requests, it is unclear whether the language contained in the notices would be strong enough for ISPs to feel compelled to block the content, regardless of if it was just a request. Requests have been made for ASIC to release one of the forms sent out to ISPs, but the agency has so far not released the document.
David Vaile from the University of New South Wales' Law Faculty and Cyberspace Law and Policy Centre told ZDNet that the crime prevention part of Section 313 of the Act has no framework around what an ISP's obligation is in response to notices issued by agencies. The section says carriers must "do their best" to ensure their facilities aren't used to commit crimes, but there is no mention in the Act that government agencies can request sites to be blocked.
"313(1) and (2) names no one, nor creates any power to make a request, order, demand, suggestion, or hint. It requires no specification of any particular offence, nor any necessary connection between blocking and evidence of prevention," he said.
"It has no limits as to what an ISP might do in trying to 'do their best' — they could choose, off their own bat, if say their CEO believed in good faith, but perhaps wrongly that more blocking was always better than less, to be wildly excessive, and no one could get any compensation for any harm done.
"Or they could all just say 'no; we are not satisfied you can or have proved that this will be a useful mechanism, in the scheme of things, in relation to the timelines and scale of the internet, to have any significant impact compared to the various costs or risks'."
The lack of a statutory framework for the apparently quite open-ended blocking scheme is "truly worrying", he said.
"It could potentially invite everyone and their dog to make suggestions to carriers with ambit claims. And has no criteria, tests, or evidence base, nor restraints, limits, or other normal controls," he said.
"Compare this to the Telecommunications Interception and Access Act, which starts off with very strict controls and protections for security, confidentiality, and communications privacy in most cases, and only has strictly limited, if powerful, exceptions for certain government law enforcement purposes."
While ASIC pledged this week to become more transparent with the public about the sites it seeks to block, the lack of a statutory framework for the notices means that there will continue to be no regulatory oversight for all government agencies that have been using, or intend to use, these notices to seek to block websites that they believe are in breach of Australian law.
ASIC has said repeatedly since the announcement that the blocks have been sought to protect Australian consumers from scam websites, but the CEO of consumer lobby group the Australian Communications Consumer Action Network (ACCAN), Teresa Corbin, said that the blocks are ultimately detrimental to consumers.
"There may be consumer benefit in a fraudulent or criminal website being blocked, but consumers ultimately lose out when hundreds of thousands of legitimate websites are inadvertently wiped off the net," she said.
"This could be disastrous for a small business operator who suddenly finds that their website is blocked with no notification."
Corbin said that ASIC's own actions raise questions of incompetence, and are akin to using a sledgehammer to crack a nut. She said that there needs to be an oversight body for the use of this power, and that sites that are blocked need to provide information on why they were blocked when Australian users try to reach them.
Communications Minister Stephen Conroy has said that his department is looking into how the Section 313 requests system could be more transparent and accountable, but he said that at this stage, there is no central oversight for the 313 notice system.
Senator Scott Ludlam said that this means, for now, that any government agency can issue the notices with no accountability.
"It's entirely possible that literally hundreds of state, territory, and Commonwealth government agencies could lawfully filter the internet with no need for accountability or transparency at all," he said.