29 October 2004
Key Points:
Proposed Commonwealth legislation threatens the ability of banks and other corporations to quarantine inbound emails on their mail servers.
A Government Bill that narrowly failed to pass as a result of the calling of the federal election creates the risk, contrary to its intended effect, of companies engaging in unlawful conduct when screening emails on their servers. This may have a significant impact upon the banking sector as in future companies may find themselves breaching the federal Telecommunications (Interception) Act 1979 when checking and quarantining inbound emails on their mail servers, for example when checking for viruses or Trojans or objectionable content such as "phishing" emails. The intention behind the Bill is to clarify the Act by creating an exception to the perceived need for law enforcement agencies to obtain a warrant to access stored communications such as emails.
In our view, reading an email assembled on the addressee organisation's server does not require a warrant now as the email is not, at that point, "passing over a telecommunication system", a key component of the offence under the Act. The amendment is therefore unnecessary. The risk of enacting it is that it creates the inference that the amendment was necessary and that when the amendment sunsets in 12 months, the inference will be that a company cannot screen emails on its own server without a warrant. It would be absurd to suggest that companies should not be able to screen incoming emails on their servers now or when the amendment sunsets.
Unlawful communications interception
The Telecommunications (Interception) Act prohibits the interception of communications (including emails) passing over a telecommunications system unless the interception is made pursuant to a warrant or where the communication comes within an exclusion to the Act.
For the purposes of the Act a “telecommunications system” is a system for carrying communications by means of "guided or unguided electromagnetic energy" and encompasses LANs, WANs and any servers, modems and PCs connected to the network. As a result of this definition a company server will fall within the meaning of a “telecommunications system” while carrying the data that makes up an email.
Interception, according to the Act, consists of listening to or recording a communication in its passage over a telecommunications system without the knowledge of the person making the communication. The copying of an email, for example into a quarantine area as a result of a virus scan, constitutes recording.
A combination of the above findings, that a “telecommunications system” includes company servers and that “recording” information includes copying an email to a quarantine area (regularly done without the knowledge of the person making the communication) has led to a great deal of confusion among government agencies and the Internet industry. For example, both Australian Securities and Investment Commission and the Australian Federal Police have argued that the current law is unclear in its application to emails stored on company servers and needs further clarification.
These doubts are largely misplaced as emails once they have arrived at a company's email server and been assembled as digital data cease to be passing over the telecommunications system because they are not at that time being propagated over the telecommunications system. Thus at the time of recording the email into a quarantine area it is no longer being transmitted or carried via guided or unguided electromagnetic energy and is no longer passing over the telecommunications system.
Changes to the Interception Act
The changes to the Telecommunications (Interception) Act that have been proposed by the Telecommunications (Interception) Amendment (Stored Communications) Bill 2004 would result in an additional exception being created for "stored communications". The exception states that it is not an offence to intercept a communication passing over a telecommunications system where that communication is a "stored communication".
This definition of "stored communication" would include an email sitting on a company email server. Under the proposed changes, a company or law enforcement agency would not be committing an offence when recording a "stored communication" such as email on a company's server that has not been read by the addressee. The proposed changes contain a sunset clause that comes into effect after 12 months.
The consequence of such an unnecessary amendment is the raising of an inference that copying stored emails is currently a prohibited interception (otherwise why make the amendment). If the changes to the Act are not continued after the 12 month period it is likely that the lapsing of the exclusion will raise the inference that the interception of a stored communication will from that time on (again) become prohibited by the Act unless it is made under a warrant.
Organisations should be aware that even though these changes to the Telecommunications (Interception) Act failed to pass into law, they did so narrowly and only as a result of the calling of the federal election, and in a situation where the changes had passed through one House and were part considered by the Senate. Organisations should consider lobbying to prevent the reintroduction of this Bill after the election unless it is substantially changed.
