news The Australian Securities and Investments Commission has published the full text of its official notices to telcos requesting they block websites suspected of providing fraudulent financial information, with the documents revealing that both the frequency and breadth of the agency’s blocking activities has increased since they began 12 months ago.
Last month the Federal Government confirmed its financial regulator ASIC had started requiring Australian ISPs to block websites suspected of providing fraudulent financial opportunities, in a move which appeared to also open the door for other government agencies to unilaterally block sites they deem questionable in their own portfolios.
The move is based on the use of Section 313 of the Telecommunications Act, which allows government agencies to ask ISPs for reasonable assistance in upholding the law, a mechanism which is also being used for the Government’s limited Interpol-based filter to block child abuse material. However, there appears to be no public oversight of the process, no appeals mechanism, and no transparency to the public or interaction with the formal justice system. A move by ASIC in April to block several sites suspected of providing fraudulent investment information resulted in the inadvertent blockage of some 1,200 other innocent sites.
The move was immediately greeted with alarm by a number of political groups and digital rights lobby organisations, who expressed concern that ASIC’s move could herald the covert return of the Federal Government’s previous mandatory Internet filtering scheme, which the Government abandoned in November last year. Commentators immediately called upon the Government to reveal how widespread the practice is.
Since that time, ASIC has admitted to another incident in which it inadvertently blocked some 250,000 websites, and another un-named agency within the Attorney-General’s portfolio, suspected of being ASIO, has been revealed to also be using the Section 313 power on “National Security” grounds.
In the wake of the ASIC revelations, several parties filed Freedom of Information requests with ASIC seeking to ascertain more details of its blocking practice. The Pirate Party Australia immediately filed a Freedom of Information request with the Australian Securities and Investments Commission, seeking documents relating to the blocking of, filtering of, or interference with the IP address blocked by the agency in March and April, in addition to any other website.
Late tonight, ASIC responded to the FoI requests filed by both Delimiter and the Pirate Party Australia, releasing its Section 313 notices in full, as well as a small amount of correspondence associated with the notices. You can download the documents sent to Delimiter here (PDF) and the documents sent to the Pirate Party Australia here (PDF).
The documents reveal that ASIC initiated its website blocking campaign by targeting three major telcos — Telstra, Optus and AAPT — in June 2012. At the time, ASIC senior manager of Deterrence, Financial Services, Michael R. Ryan, sent the three telcos a letter requesting a US-based IP address be blocked for a period of a month. The letter was headlined under the moniker ‘Op Ark’, which is believed to refer to Operation Ark, an ASIC operation which aims to combat organised crime targeting Australian investors through fraudulent investment material — often through Internet-related fraud.
Under different operational labels, ASIC filed subsequent Section 313 notices with the three telcos in October, November and December 2012, as well as January, February, March and April this year. In all cases, the regulator requested that one or several internationally hosted IP addresses be blocked by the telcos for a period of one month.
ASIC typically cited its belief that the websites concerned had breached regulations concerning the provision of financial information, and sometimes listed the suspected fraudulent companies involved by name.
In November, the regulator added another name to its list — Pacnet, another major provider of telecommunications services, and in March this year PIPE Networks was added to the list. The list is significant because it appears from its Section 313 notices that ASIC is attempting to block the websites concerned at a network backbone level rather than at the level of a retail ISP. All of the telcos concerned provide underlying network services to retail ISPs such as iiNet or TPG, and so it appears that ASIC is attempting to block the websites at the core of Australia’s Internet in a way that will flow through to retail ISPs, rather than requesting those retail ISPs themselves block the sites.
This impression is reinforced by a letter from a lawyer at PIPE Networks sent back to ASIC in response to the blocking notice. The lawyer — whose name has been blacked out from the documents — notes that “as previously advised”, PIPE could “only block the addresses on our own network and cannot completely block them on our submarine cable, due to the way capacity on the cable is sold”.
It appears that none of the telcos concerned pushed back on ASIC with regard to its blocking requests, although it is believed that the use of Section 313 notices in this way had not been used in Australia previously. A network engineer for Optus, for example (whose name is redacted from the documents) replied by email to ASIC several times merely noting that the requests had been actioned.
In one instance, ASIC requested that an IP block filed in April this year be lifted. It is possible that this could refer to the revelation in April this year that the regulator had accidentally blocked some 1,200 sites, including Victorian education site Melbourne Free University. The site’s owners contacted various parties, including the Greens, their ISP and the Attorney-General’s Department seeking information on why their site had been blocked. It was subsequently unblocked.
It remains unclear why ASIC’s standard use of the Section 313 notices requested that the telcos block sites for one month only, although it is possible that the regulator’s use of the power for that short period was designed to give it some breathing space while it sought to take down the sites more permanently at the hosting layer.
This theory is given credibility by a document included in the FoI release material, which saw ASIC obtain a Federal Court Order for one site to be taken down.
ASIC’s consistent use of raw IP addresses — rather than website names — in its Section 313 notices suggests that the agency’s accidental separate blockages of some 1,200 and 250,000 sites on different occasions was not an anomaly for the regulator. Given the prevalence of shared web hosting space used by websites online, it would have been more technically accurate for the regulator to have requested only specific website URLs be blocked, rather than IP addresses; this would have likely meant that only specific sites would have been blocked, rather than thousands of other sites being inadvertently blocked. It is believed that this URL-based approach is the approach taken by the AFP in its similar Section 313 blocks involving a ‘worst of the worst’ list of child abuse sites supplied by international policing agency Interpol.
The use of IP addresses in this manner appears to suggest a degree of technical incompetence on ASIC’s part, given that it would also be possible for a blocked site to easily and quickly switch IP address to a new web host, but retain the same website URL, evading ASIC’s blocking regime within a matter of hours.
ASIC’s comprehensive response to the FoI request — in which it has redacted very little information from the documents as supplied — runs counter to the approach taken by the Australian Federal Police when Delimiter filed a similar FoI request around the use of Section 313 notices earlier this year. In that case, the AFP redacted a significant amount of material from its documents, including the identities of the ISPs it targeted.
In May, then-Communications Minister Stephen Conroy asked his department for measures which could provide transparency around government use of Section 313 notices to block websites, and it has been reported that meetings between the major Federal Government departments have been convened on the issue. However, Conroy resigned his post on Wednesday this week, following the ascension of Kevin Rudd once more to the Prime Ministership, and it is not clear yet who Conroy’s successor will be, or what their attitude will be to the use of Section 313 notices.
There are a few things we can take away from the text of the Section 313 notices which ASIC has provided to Delimiter and the Pirate Party Australia.
Firstly, ASIC has demonstrated that it is relatively technically inept (surprise!). You can see this through the use of IP addresses rather than website URLs (which resulted in thousands of innocent websites being blocked), you can see it in the attempt by ASIC to have websites blocked at network layers as low as PIPE Networks’ submarine cable (which was not possible for PIPE), and you can see it in the fact that ASIC only targeted a small number of telcos rather than a comprehensive spread. Frankly, it appears that the regulator’s blocks would have been relatively ineffective if used against smart website operators, and that they would have been easily evaded by those seeking to visit the blocked sites. Great.
Secondly, you can see that very little of the actual communication between ASIC and the telcos on this issue took place via email chains that can be documented and are subject to FoI requests. I am sure that Telstra, AAPT, Optus and PIPE Networks communicated with ASIC at least cursorily on this issue, and probably extensively. But that communication must have taken place by telephone and not by email. This speaks to a somewhat secretive approach by both ASIC and the telcos on this matter.
Lastly, what we see is that the telcos did not appear to fight ASIC on this issue, despite the fact that its use of Section 313 notices in this manner was virtually unprecedented. We don’t see anything here in terms of lawyers questioning ASIC’s rationale for blocking the sites or even why the regulator wanted whole IP addresses of shared web hosts blocked, rather than specific URLs. This is somewhat disturbing, given the fact that ASIC’s actions represented direct interventions in the telcos’ businesses and technical platforms. It suggests that Australian telcos are used to rolling over for Section 313 notices on an ongoing basis.
All of this points to the need for independent, centralised oversight of the use of Section 313 notices by Federal Government agencies. The Australian population deserves better than for technically inept agencies to unilaterally decide to block random websites and a host of innocent ones, with no accountability measures in place. It’s abundantly clear that Australia’s telcos are pretty happy to roll over and let Australia’s law enforcement agencies do what they will with our Internet — let’s be under no illusions: Australia’s telcos will not act as watchdogs in this system.
Let’s hope that Conroy’s successor — whoever they are — makes this issue a priority. Because if they don’t, I can assure them: Those of us in Australia’s media who are tracking this situation will not desist in our efforts to provide transparency and accountability around the use of Section 313 notices by government agencies. Unilateral and secretive blocks of websites is just not a concept any modern democracy should be comfortable with.