Welcome to the Australian Communications and Media Authority's website. If you are utilising a screen reader, please read our accessibility information page for details as to how to gain access to content on our site in other formats.
Australian Government - Australian Communications and Media Authority

Internet service providers and law enforcement and national security fact sheet

How does the Telecommunications Act apply to Internet service providers and Internet access providers?

The Telecommunications Act 1997 (the Act) does not refer specifically to internet service providers (ISPs) or internet access providers (IAPs). The Act applies to ISPs and IAPs because they fall into the category of carriage service providers (CSPs). CSPs supply services for carrying communications to the public using a carrier’s network. All obligations that apply to CSPs apply to ISPs, including registration with the Telecommunications Industry Ombudsman under Part 10 of the Act, but some may not be relevant. This fact sheet covers obligations on ISPs and IAPs arising out of Parts 13, 14 and 15 of the Act. The term ISP is used to refer to both ISPs and IAPs.

What are the law enforcement and national security obligations of ISPs?

The law enforcement and national security obligations of ISPs are:

  • to give officers and authorities of the Commonwealth, States and Territories reasonably necessary assistance in relation to the enforcement of criminal law and laws imposing a pecuniary penalty, protecting public revenue and safeguarding national security;
  • to do their best to prevent their network and facilities being used in the commission of offences against the laws of the Commonwealth, or of the States and Territories; and
  • to ensure their network or facility is able to intercept a communication passing over it, in accordance with a warrant issued under the Telecommunications (Interception) Act 1979.

For more information about interception requirements see the ACMA’s Fact Sheet Internet service providers—interception obligations.

What are the privacy obligations of ISPs in relation to customer information?

Part 13 of the Act makes it an offence for an ISP and its employees to use or disclose any information or document which comes into its possession in the course of its ISP business, where the information relates to:

  • the contents or substance of a communication carried by the ISP (delivered or not); or
  • carriage services supplied, or intended to be supplied, by the ISP; or
  • the affairs or personal particulars of another person.

In what circumstances is an ISP authorised to disclose customer information?

Exceptions to the prohibition on disclosure of customer information include:

  • where the disclosure is reasonably necessary for the enforcement of the criminal law or the protection of the public revenue (see below);
  • where the disclosure is made to ASIO for the performance of its functions;
  • where the disclosure is required or is otherwise authorised under a warrant or under law.

What types of customer information will agencies be interested in?

For the purposes of simplification, the type of information agencies may be interested in can be categorised as;

  1. the Identity, Source, Path and Destination of nominated internet services, and/or
  2. the content of nominated communications.

ISP information needed to satisfy requests regarding the identity, source, path and destination of nominated services may come from various sources including :

  • customer registration details;
  • destination and origin email addresses for (user) target communications;
  • calling line identification (for user access links);
  • geographical location of a target service;
  • network/traffic related data; and
  • log files (for example, back up tapes showing details of a subscribers internet sessions, including files received).

Information categorised as content does not include network/trafic related data ie. information required through transmission through networks.

Legislation does not specifically require ISPs (or other CSPs and carriers) to keep this type of information for law enforcement or national security purposes. However, an agency may request the holding of information pending further information or court order. Any costs associated with these requests would need to be agreed between the parties.

Agencies may request access to this information as part of the reasonably necessary assistance requirement, or they may make a specific request that an ISP keep certain information pertaining to a particular user.

How can agencies request customer information from ISPs?

The primary means by which agencies can request access to customer information held by ISPs are by:

  • Part 13 Telecommunications Act requests;
  • warrants (either interception or general search);
  • notice authorised by, or under, law; or
  • Court process

Access by agencies to the content of an internet communication in transit will amount to an interception and can only be authorised under the Telecommunications (Interception) Act 1979 Cth.

Once a communication has been accessed by the user (or deemed to have been accessed, for instance, after it has left the network, or has been stored), it may be accessed by agencies acting under broader statutory or general law powers. These include a search warrant, a notice to produce, or an agency request for release of information derived from powers authorised by or under law [s.280 Telecommunications Act (1997) Cth]. This is a broad term which includes other statutory, judicial and quasi-judicial powers, such as court orders made during the discovery process, summons for witnesses to attend and produce records and subpoenas for documents.

Uncertified requests and certificates

Part 13 of the Act allows criminal law enforcement, public revenue and civil penalty enforcement agencies to make certified and uncertified requests for the disclosure of customer information.

For an uncertified request, the ISP must be satisfied that the disclosure of the information is reasonably necessary for the enforcement of criminal law, protection of public revenue or enforcement of a law imposing a pecuniary penalty.

Certified requests are those where a senior officer of a criminal law enforcement agency or a public revenue agency certifies in writing that the disclosure is reasonably necessary.

For certified requests, the ISP may rely on a certificate issued by an authorised officer that the disclosure is reasonably necessary. For uncertified requests, the ISP must make the judgement that the disclosure is reasonably necessary.

The requirement to provide reasonably necessary assistance does not apply to ASIO. Disclosures may be made to an officer or employee of ASIO authorised in writing by the Director-General of Security to receive the disclosure, where it is made for the performance of ASIO functions, or where the officer or employee certifies that the disclosure is connected with those functions. ASIO requests will usually be in writing, but there may be instances where an urgent verbal inquiry may be necessary.

Warrants

A warrant may be used to access other customer information, including stored communications (see below). Agencies may choose not to use the warrant process if the information may be requested by other means.

Record keeping requirements

ISPs (and other CSPs and carriers) must keep records of all disclosures made under Part 13 (other than disclosures made to ASIO) for each financial year and lodge those reports with the ACMA within 2 months of the end of that financial year. The section 308 report form for reporting disclosures is on the ACMA website.

On what terms must reasonable help be given?

ISPs must give reasonable help to agencies on terms and conditions agreed by the agency and the ISP, and on the basis that the ISP neither benefits from, nor assumes the costs of, giving that help.

What about stored communications?

Access to the content of communications (for example, electronic mail) stored on an ISP’s server is unlikely to fall within reasonably necessary assistance. An agency may use a general search or interception warrant or some other statutory provision to access stored communications.

Can an ISP be liable in civil proceedings for the disclosure of customer information?

Section 313 of the Act provides that a carrier or CSP is not liable for damages for an act done or omitted in good faith to give reasonably necessary assistance to officers and authorities of the Commonwealth, States and Territories.

Further information

For further information, please contact:

National and Community Interests Section
Australian Communications and Media Authority
PO Box 13112, Law Courts
Melbourne Vic 8010
Ph: (03) 9963 6800
Fax: (03) 9963 6961

The ACMA has fact sheets on a range of topics.

Please note: this document is intended as a guide only and should not be relied on as legal advice or regarded as a substitute for legal advice in individual cases.

 

Last update: 25 July 2012 16:32