AFP using site blocking laws to target malware
The AFP has revealed it used a section of the Telecommunications Act, traditionally used to block child pornography websites, to target the spread of malware.
- Webby Award Winner (Best Video Host, 2021), Webby Nominee (Podcasts, 2021), Gold Telly (Documentary Series, 2021), Silver Telly (Video Writing, 2021), W3 Award (Best Host, 2020), Australian IT Journalism Awards (Best Journalist, Best News Journalist 2017)
The AFP has confirmed it made a number of requests to block websites suspected of distributing malware, under a sub-section of the Telecommunications Act traditionally reserved for blocking child pornography sites.
The disclosure came in the Australian Federal Police's submission to a Parliamentary inquiry on Section 313 of the Telecommunications Act 1997 -- legislation that stipulates telcos and ISPs must assist government agencies in enforcing criminal laws to "safeguard national security".
According to the Inquiry terms of reference, the AFP "uses section 313 to block domains (websites) which contain the most severe child sexual abuse and exploitation material using the Interpol 'Worst of ' child abuse list".
However, it stipulates that "other Commonwealth agencies have also in the past used section 313 to prevent the continuing operation of online services in breach or potentially in breach of Australian law (e.g. sites seeking to perpetrate financial fraud)".
In its submission to the Inquiry [PDF], the AFP advised that it has made 23 individual Section 313 requests to block sites "used for illegal online activity" between June 2011 and August 2014, but that these were not just to prevent access to Interpol's 'Worst of' list.
According to the AFP:
In early 2014, the AFP utilised a number of section 313 requests to prevent the distribution of peer-to-peer malicious software (malware) which was designed to steal personal banking and financial credentials from the platforms of Australian computer users.
The AFP was aware that the domain supporting the malware was used for the exclusive purpose of distribution and updating the malware.
The blocking by ISPs of this domain prevented the widespread distribution of this malware in Australia and the subsequent compromise of Australian's financial details that potentially could have been used to undertake large scale fraud.
Despite recognition that "there is currently no specific oversight on the use of Section 313 governed by the Telecommunications Act", the AFP said it should not be required to release specific details on individual requests.
"The AFP recognises the need to demonstrate accountability and transparency in respect of the use of section 313 requests in order to maintain public confidence that blocking powers are being used proportionately and appropriately," it said.
"However, [the AFP] considers releasing specific details publicly as to the nature of each individual request and to which ISP each request was made may have a substantial adverse effect on the proper and efficient operations of the AFP and may be contrary to the public interest."
Representatives from the telco and ISP side of the debate have raised concerns that the "broad terms" of Section 313 appear to allow requests to be made by "non-critical stakeholders".
In a joint submission to the Inquiry, the Australian Mobile Telecommunications Association and Communications Alliance argued that use of the legislation should be "restricted to Government enforcement and national security agencies" with safeguards to ensure that requests are "properly targeted and that legitimate websites and users are not also inadvertently blocked".