Australia: Cybercrime Code of Practice for ISPs

Article by Elizabeth Levinson and Natalie Ceola

Following 18 months of development the Australian Internet Industry Association (IIA) released a draft Cybercrime Code of Practice (Code) in relation to cybercrime on Monday, 21 July 2003.

While the Internet can deliver enormous efficiencies for business, cybercrime is proving to be an escalating cost for Internet Service Providers (ISPs), government and businesses. Crime involving computers and electronic communications is a big challenge facing organisations as crimes such as internet based fraud, hacking, card skimming and electronic money laundering are difficult to detect.

The 2003 Computer Crime and Security Survey, run in conjunction with the Australian Federal Police, Queensland Police, Western Australia Police and South Australia Police highlighted the extent of electronic crimes. This survey found that:

• total losses for organisations surveyed in 2003 were estimated at $12 million, more than double the losses for 2002
• 42 per cent of organisations experienced one or more computer attacks which harmed network data or systems
• financial fraud, laptop theft and virus, worm and trojan infections were the largest source of losses.

Improving the safety and security of the Internet depends on early detection of criminal activity. The Code attempts to balance differing concerns including the law enforcement agencies' need to identify, investigate and prosecute offences, the privacy of end users and costs to the industry in complying with the Code.

The objectives of the Code are to:

• facilitate cooperation between ISPs and law enforcement agencies and establish clear policies and procedures for investigations
• provide a transparent mechanism for the handling of law enforcement agency's investigations for the Internet industry and ensure both ISPs and law enforcement agencies understand the procedures
• promote positive relationships between law enforcement agencies and the Internet industry
• ensure that the privacy of users of the Internet will be protected from unlawful intrusion by law enforcement agencies.

The Code stipulates that customer information collected by ISPs, must be retained for six or 12 months, depending on the type of information. Personal information such as a customer's name, username, email address, phone number, credit card details and address details, must be retained for the greater of six months from the date a customer ceases to be a customer or 12 months after the creation of the record. Operational data, such as dynamic IP allocations records, dates and time of log-ins and the total data transferred, must be retained for six months from the date of creation. ISPs, however, are not required to capture subscribers' phone numbers via caller line identification.

The Code was delayed in its release due to privacy concerns. However, after consultation with the Privacy Commissioner it was determined that ISPs were not bound by the National Privacy Principles which were introduced on 21 December 2001 under the Privacy Act 1988 (Cth) (Privacy Act).

However, the Code requires all ISPs wishing to be a party to the Code to be bound by the Privacy Act. This means the Privacy Commissioner can exercise his power against ISPs bound by the Code who breach the National Privacy Principles.

The Code also reminds ISPs that if they disclose customer information to anyone other than law enforcement agencies, they are at risk of breaching the Telecommunications Act 1997 (Cth) and exposing themselves to the possibility of criminal penalties and up to two years imprisonment.

The IIA has also drafted an Industry Code of Practice for Internet Privacy.

A full copy of the draft Code is available from www.iia.net.au/cybercrimvt.html. A 30 Day Public Consultation Period in relation to the draft code has commenced during which time public input is welcome. Comments can be emailed to the Internet Industry Association at cybercrimecode@iia.net.au. The deadline for submissions is 21 August 2003.