ASIC 'unaware' blocking a single IP address would hit multiple sites

The Australian Securities and Investment Commission has said that the staff members who asked ISPs to block websites were unaware that blocking a single IP address would block thousands of websites.

Despite accidentally blocking thousands of websites in one hit, the Australian Securities and Investment Commission (ASIC) has argued that it should still keep the controversial power to request ISPs to block websites contravening Australian law.

The power to compel ISPs to block websites contained in Section 313 of the Telecommunications Act only gained public attention after it was revealed that ASIC had accidentally blocked 250,000 websites in April 2013 when seeking to block websites associated with investment fraud, including the website of Melbourne Free University.

Unlike child abuse websites blocked by the Australian Federal Police (AFP), websites that were being blocked by ASIC did not inform people who attempted to reach those pages of why the sites were blocked.

Thus far, the blocking power has only been used by ASIC, the AFP, and an as-yet-unnamed national security agency . Since April 2013, it is believed that the AFP is the only organisation that would continue using the power.

Following criticism of the lack of transparency and central oversight of this power, a year later, Communications Minister Malcolm Turnbull has established a parliamentary inquiry into the use of Section 313.

In ASIC's submission to the inquiry, published today, the agency explained that it did not intend for so many websites to be blocked, and that it was due to a lack of knowledge in the agency of how IP addresses work.

"Our internal review identified that the ASIC teams requesting s313 blocks were not aware that a single IP address can host multiple websites," ASIC stated.

ASIC said that although it hasn't used the power since April 2013, if in future websites are to be blocked, ASIC will work with the ISPs to ensure that only the target websites are blocked.

The commission has recommended to the committee that agencies should still have access to the website-blocking power directly to ensure that websites are blocked in a "timely manner", but suggested that the government should specify which agencies should have access to that power, in a similar way that the Telecommunications Interception and Access Act details what agencies can request stored telecommunications customer "metadata" without a warrant.

In future, ASIC said that websites blocked should only be those that are related to serious criminal activity or are a threat to national security, and those websites blocked should then have a notice informing the user as to why the site has been blocked.

iiNet said in its submission that Section 313 is "too broadly framed", with access allowed to too many government agencies, and said a standard approach should be set out that requires a court order before a request is sent to an ISP to block a website.

The Communications Alliance and the Australian Mobile Telecommunications Association said in their joint submission that Section 313 notices should be restricted to government enforcement and national security agencies, with guidelines, safeguards, and reporting on the blocking of websites.

Show Comments