AustLII Home | Databases | WorldLII | Search | Feedback

Journal of Law, Information and Science

Journal of Law, Information and Science (JLIS)
You are here:  AustLII >> Databases >> Journal of Law, Information and Science >> 1998 >> [1998] JlLawInfoSci 16

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

Wilson, Ian; Tickle, Alan B; Grigg, Katherine; Mohay, George --- "Deploying An Intrusion Detection System: Commonwealth Law and a Queensland Model" [1998] JlLawInfoSci 16; (1998) 9(2) Journal of Law, Information and Science 237

Deploying An Intrusion Detection System: Commonwealth Laws and a Queensland Model

IAN WILSON[*], ALAN B. TICKLE,[**]

KATHERINE GRIGG[***] AND GEORGE MOHAY[****]

Abstract

Intrusion detection systems are increasingly being deployed for the real-time monitoring and surveillance of activity on communications networks. These form part of a broader set of mechanisms and procedures designed to protect an organisation’s information technology infrastructure against unauthorised access and misuse. Inherently, such systems have the potential to reveal and record significant quantities of information. Importantly, some of this information may be of a personal, private or confidential nature. Hence the question arises as to whether or not the activities of monitoring, collecting or recording information using an intrusion detection system – activities undertaken with seemingly noble intentions such as detecting criminal or other suspected illegal activity – do themselves directly or indirectly violate the law in Australia. A review of the relevant legislation in Australia shows that the answer, whilst encouraging, is far from certain.

Keywords: communications network security, intrusion detection systems, telecommunications interception, privacy, listening devices.

1. Introduction

Since the early 1980’s both individual organisations and telecommunications network service providers have made substantial investments in telecommunications infrastructure and facilities in the on-going quest for “global connectivity” (Penzias 1989). However an ineluctable consequence of these developments is that many organisations in areas as diverse as commerce, industry, government, military, and academia have now reached a point of almost total dependence on their information systems and telecommunications services being continuously available. Further, organisations are critically dependent on the guaranteed confidentiality and integrity of the associated information resources (Courtney 1977; Fitzgerald 1989; Caelli, Edmond, Knight, and Tickle 1990; Caelli and Tickle 1991; Caelli, Longley, and Tickle 1992; Anderson, Longley, and Tickle 1993; Butler 1994; Eloff et. al. 1996). Any disruption to such systems and services, or compromise of information confidentiality or integrity (e.g. through industrial espionage), potentially has a direct, immediate and, in a number of cases, catastrophic impact on an organisation’s ability to function effectively (Keen 1988 p 20; Sommer 1989; Schweizer 1993, Eloff et. al. 1996).

Organisations have responded to this increased sensitivity to the importance of information security issues by employing a range of tools and technologies to assist in the management of the information security function (Gurrie, Tickle, Diederich, and Anderson 1995a; Gurrie, Diederich, Tickle, and Anderson 1995b). One such technology is intrusion detection systems, which are increasingly being deployed for the real-time monitoring and surveillance of activity on communications networks. In particular, recent reports have emerged of a plan by the US Federal Government to build a large-scale intrusion detection system called the Federal Intrusion Detection Network (FIDNET) that would monitor government computer systems to detect unauthorised attacks from hackers.

Notwithstanding their utility, intrusion detection systems have the potential to reveal and record significant quantities of sensitive information. Importantly, some of this information may be of a personal, private or confidential nature. This is one of the main reasons that civil liberties groups in the US have strenuously denounced the FIDNET concept. Intrusion detection systems are also being used extensively in Australia. Apart from the issue of privacy, the question also arises as to whether or not the activities of monitoring, collecting and recording information using an intrusion detection system – activities undertaken with seemingly noble intentions such as protecting an organisation’s information-technology infrastructure and detecting criminal or other suspected illegal activity – violate the law in Australia either directly or indirectly.

The ensuing discussion seeks to answer this question by examining aspects of selected Australian laws that impinge directly on this area. The analysis shows that the final answer, whilst encouraging for people charged with the responsibility of information security, is far from certain.

2. Intrusion detection systems

Intrusion detection systems are intended to take over where preventative security mechanisms fail. Their primary purpose is to detect when an unauthorised access or other illegal activity has occurred and, if operating in real-time mode, immediately seek to limit the effects of such activity. Information collected as part of this process can then be subject to rigorous analysis. In certain cases, this may lead to the enhancement of the relevant security mechanisms in order to prevent a recurrence.

Successful detection of such intrusions is based either upon recognition of the exploitation of a known vulnerability or upon recognition of anomalous behaviour patterns or a combination of the two. The first of these is referred to as signature or misuse intrusion detection. The second is referred to as anomalous behaviour intrusion detection, though it is arguable whether anomalous behaviour per se should be regarded as intrusion. If anomaly-based, an intrusion detection system uses some form of profile of operations (e.g. typically a statistical profile of system usage) to decide whether an event out of the ordinary is happening i.e. whether the current pattern of behaviour differs from the standard profile by more than some threshold amount. If signature-based, the intrusion detection system matches the occurrence of an event or a sequence of events with a known pattern characteristic of an attack e.g. the classic buffer-overflow attack (Spafford 1989), password guessing etc. An intrusion detection system based solely on matching signatures cannot recognise an unknown attack. Similarly, a solely anomaly-based intrusion detection system cannot characterise even a known attack except as an anomaly, so may be unable to react appropriately in real-time.

It is beyond the scope of this paper to provide a detailed description of the technology of intrusion detection systems. However reviews of such systems can be found in Anderson et al (1999), Amoroso (1999), Amoroso & Kwapniewski (1998), Anderson, (1998), Balasubramaniyam et al (1998), Endler (1998a, b), Lee et al (1999), and Sommer (1998).

3. Potential Problems

In this paper we consider the deployment of an intrusion detection system within an organisation to monitor traffic at some strategic (gateway) point on its communications network. We assume no restrictions on the type of messages being sent over the network i.e. they could be voice, data (e.g. commercial transactions), text, video, graphics, etc. or any combinations of the above. We assume the network connectivity to be as general as possible i.e. such traffic could originate and terminate entirely within the precincts of the organisation or it could originate and/or terminate on an external network (i.e. connected by a telecommunications carrier facility).

It should be noted that, apart from the capability to monitor and record the content of messages sent over the communications network, intrusion detection systems also analyse network control information including audit log information on network traffic characteristics. Some also construct detailed profiles of user behaviour in order to identify anomalous activity i.e. they operate on the premise that deviations from “regular” behaviour may presage a potential intrusion problem.

The following legal problems may arise from these aspects of intrusion detection system functionality:

1. The deployment may infringe laws regulating the interception and recording of communications;

2. The deployment may infringe laws related to privacy;

3. The deployment may infringe laws creating criminal offences for misuse of computer systems.

4. The Australian legal context

It is beyond the scope of this paper to undertake a comprehensive coverage of all areas of Australian law, civil and criminal, Federal and State, statute law and common law. The purpose of the ensuing discussion therefore is to elicit a tentative answer, to the question raised above about the legality of using an intrusion detection system, by reference to Commonwealth and Queensland statute law in the context of criminal responsibility. Readers from States other than Queensland will perhaps identify similarities in their own jurisdiction.

Our review is of national significance in that it shows three Commonwealth statutes address core aspects of information monitoring, collecting and recording (as well as other surveillance activities), viz:

(a) The Telecommunications (Interception) Act 1979;

(b) The Crimes Act 1914;

(c) The Privacy Act 1998.

To those we add reference to the Invasion of Privacy Act 1971 (Qld).

Of all these, provisions of the Telecommunications (Interception) Act 1979 are shown to be particularly relevant. The final answer, whilst being mostly reassuring from a system-management viewpoint, is not entirely clear-cut.

5. Review of the Individual Acts

5.1 The Telecommunications (Interception) Act 1979 (Commonwealth)

The Telecommunications (Interception) Act 1979 makes no distinction on what aspect of a communication can and cannot be monitored. Its provisions apply, or do not apply, equally to all content and qualities of a communication. The definition of “communication” in the Act simply aggregates everything under the one all-encompassing term, viz.:

communication includes “conversation and a message, and any part of a conversation or message, whether:

a) in the form of:

i) speech, music or other sounds;

ii) data;

iii) text;

iv) visual images, whether or not animated; or

v) signals; or

b) in any other form or in any combination of forms.”

In particular, the inclusion of the word “signal” would appear to embrace any control information which is likely to be captured in an intrusion detection system (eg headers generated by communications protocols such as TCP/ IP).

A second important facet of the Act is the generality of its definition of networks and network services. In particular, under this Act:

A telecommunications network means a system, or series of systems, for carrying communications by means of guided or unguided electromagnetic energy or both, but does not include a system, or series of systems, for carrying communications solely by means of radio communication.

A telecommunications service means a service for carrying communications by means of guided or unguided electromagnetic energy or both, being a service the use of which enables communications to be carried over a telecommunications system operated by a carrier but not being a service for carrying communications solely by means of radio communication.

A telecommunications system means:

(a) a telecommunications network that is within Australia; or

(b) a telecommunications network that is partly within Australia, but only to the extent that the network is within Australia

and includes equipment, a line or other facility that is connected to such a network and is within Australia.

One significant point is that the Act does not draw any overt distinction between “private” and “public” networks and, in particular, those networks owned by a telecommunications carrier such as Telstra. Moreover it does not attempt to delineate or attach special significance to the boundaries between such networks. Thus it is arguable that the Act applies even to wholly private systems. On the other hand, the general nature and tenor of the Act seems to be directed at communications flowing at least in part over public systems. This is reinforced by the many cross-references to the Telecommunications Act 1997 and to “carriers”, a term given the same definition as in that Act. The better view may be that the Act was not intended to apply to wholly private systems but does apply in respect of any communication whose passage depends wholly or in part on a public network. In that regard, no significance could be placed on any delineation of boundaries between the public network and, say, a privately owned and operated LAN. A more robust, but less likely, interpretation may be one whereby the Act is taken to apply only to the passage of the communication while it is on a public network: once the communication had left that network and passed onto, say, a wholly private LAN, the Act would not apply. This view has been adopted in the UK, and it is consonant with the Telecommunications Act 1997 in many ways. However, the language of the equivalent Act in the UK is different to that in the Telecommunications (Interception) Act 1979 and this view is thought not to be entirely plausible on the wording of the Australian Act. Nonetheless, a definitive court interpretation or amendment to the present ambiguity of the Act will be required to finally settle the issue.

One court decision should be referred to here, more for the questions it raises rather than the answers it provides. In Australasian Performing Right Association Limited v. Telstra Corporation Limited [1993] FCA 542; (1993) 118 ALR 684 (1993) (Federal Court of Australia) Justice Gummow (now a member of the High Court of Australia) was called upon to determine certain issues of copyright associated with the playing of recorded music to telephone callers put on “hold”.

Telecom (Telstra) was the holder of a general telecommunications licence, issued on 25 November 1991, under the Telecommunications Act. That Act contained a number of provisions defining the boundaries of the network. Justice Gummow said:

For present purposes, it is sufficient to note that in the case of domestic customers the network ends at the first telephone socket, and in the case of commercial customers the network ends at the Main Distribution Frame in the building. The Main Distribution Frame is used to connect external telephone lines, owned by Telecom, to the customer's internal telephone lines. The customer is the owner or lessee of, and is responsible for, all equipment beyond the first socket, in the case of a domestic customer, or the Main Distribution Frame, in the case of a commercial customer.
In the case of a telephone call from an ordinary domestic telephone, when a person ("the caller") picks up a telephone in order to make a call, the caller draws electro-magnetic current which is provided by the nearest telephone exchange. When the caller dials a number the dialling signal is sent back to the nearest exchange and is routed by that exchange through the network to the exchange nearest to the person being dialled ("the recipient"). The earpiece in the handset of the recipient contains a device which converts the electro-magnetic current into sound.
Where the communication emanates from a commercial telephone system, such as a PABX, the position is complicated by the fact that such systems use their own power source rather than power provided by the exchange. Thus, if a person uses a PABX, an electro-magnetic current is drawn from the electricity grid, is modulated by the person speaking, and is sent to the nearest exchange. There it is amplified and sent through the network to the recipient. Therefore, the recipient receives, at least in part, an electro-magnetic current which originates from the caller's PABX. In other cases, the recipient receives a current which originates from the caller's exchange and is modulated by the caller. It should be noted that where the caller and the recipient are reasonably close to one another, the modulated current may not necessarily be amplified. From a technical point of view, the playing of music on hold has the same effect as someone speaking. The electro-magnetic current originating in the PABX, for example, is modulated by the music source and this modulated current then moves through the network to the person listening to the music.

The parallels between this case and the data communications scenario are intriguing, particularly the possibility of there being a distinction of legal significance as to the boundaries of a network.

Another key point of the Act for the purpose of this discussion seems to be the definition of what, in fact, constitutes an “interception”. This is because the essential feature of the Act is that, aside from a number of stated exceptions for law enforcement and security organisations, it prohibits the interception of communications. Further, it specifies that material obtained unlawfully in terms of its provisions cannot be disseminated in any way. It sets out a number of criminal penalties for breach.

The concept of what is constituted by an interception is addressed in Part IA Section 6 sub-section (1) viz.

For the purposes of this Act, but subject to this section, interception of a communication passing over a telecommunications system consists of listening to or recording, by any means, such a communication in its passage over that telecommunications system without the knowledge of the person making the communication.

From this definition, the basic notion we have of an interception is one of monitoring (“listening to”) or recording a message in transit over a network and that this must occur without the knowledge of the sending party. Obviously, to someone expert in the complexities of networking, this definition probably raises more questions than it answers. For example, what of the situation where an e-mail message is stored on a mail-server for later reading by a client computer – a fairly typical mail-server scenario. Is this message still deemed to be “in its passage over that telecommunications system”? The wording of the Act does not offer any further assistance in resolving such issues. However, taken at face value, it seems reasonable to assume that the Act covers the operation of intrusion detection (software/ hardware) mechanisms since these clearly satisfy both the “monitoring/recording” criterion and the “passage” criterion.

Again it is useful to refer to a court decision based on use of telephones, for the questions it raises in the context of data communications rather than the answers it supplies. In R v Giaccio and Edginton (unreported, 1997, Court of Appeal, South Australia) Justices Cox, Millhouse and Perry were asked to decide whether an “interception” had taken place by means of a tape recorder. Justice Cox stated:

In my opinion the taping of these telephone conversations by means of a micro-cassette recorder, held close to the telephone hand-piece by one of the persons having the conversation, did not amount to an interception of a communication passing over a telecommunications system within the meaning of sections 6 and 7 of the Interception Act.
The connotation of the s6 terminology is not as clear as it might be, which explains why different judges have interpreted the section differently, but I would see the telephone system as (to put it symbolically) starting typically with a handset microphone and ending with a handset loudspeaker. It may well have intangible components or features in between those points but its outer boundaries, as it were, will consist typically of telephones - a myriad of them, as it happens. It is true that the system will not operate unless sound is fed into it at one end and out of it at the other, but it does not follow from this that the sound waves that are external to the equipment at these two points are part of the telecommunications system itself. On that view of the matter, for a person to record a telephone user's voice by standing alongside him with a tape recorder is to record his communication while it is still outside the telecommunications system, not while it is passing over it. I would interpret a recording of the other person's words, "uttered" by the loudspeaker in the same handset, in a similar way. The communication from the other end has completed its passage over the telecommunications system before the microphone of the tape recorder picks it up. Thus, in my opinion, a recording made of a telephone conversation in this fashion, externally to the equipment in the sense I have described, is not an interception of the telephone conversation within the meaning of the Interception Act.

Whether the logic of the decision can be extrapolated to the passage of data over a network, and whether there may be situations in which that data can be “interrogated” or monitored at points external to the network, provides grounds for further thought.

The legality of deploying an intrusion detection system (and, in general, other network-management-related and network-security-related tools and mechanisms) thus seems dependent on two provisions in the Act. The first is the one given in the above definition viz. that an interception does not occur if the sending party has “knowledge” that the monitoring or recording is occurring. Unfortunately the Act is of no further assistance in resolving what constitutes such “knowledge”, whether it must be explicit or whether it might be implicit. One would expect that reliance could be placed on the typical warning message displayed at the time of initial connection to satisfy this requirement. The problem in many instances may of course turn out to be one of commercial sensitivity. It is probably fair to say that sites providing access for commercial or business reasons would baulk at explicitly warning their clients that traffic was being monitored or recorded. Many clients would suspect this in any event, meaning the “knowledge” requirement would perhaps be satisfied in those instances. It is however far too early to suggest that all users must be assumed to know, or ought reasonably to suspect, that monitoring and logging is likely to occur. Indeed this issue will become far more problematic as the commercialisation of the Internet interconnects users with an increasingly diverse appreciation of network security issues.

From the system-security/network-administration perspective, the second provision of the Act of direct relevance is in Part II Section 7(1). This provides:

A person shall not:

(a) intercept;

(b) authorize, suffer or permit another person to intercept; or

(c) do any act or thing that will enable him or her or another person to intercept;

a communication passing over a telecommunications system.

The Act also provides numerous exceptions to this general prohibition. Principal among these is the ability of law enforcement agencies to obtain interception warrants, provided the strict conditions laid down are satisfied. Typically such warrants are available for reasons of national security or the investigation of serious crime. Given its highly restricted relevance, the topic of interception warrants is not addressed in this paper.

The only potential exception which might apply to our assumed model arises from Section 7 (2)(a) which provides that Part II Section 7(1) does not apply to:

the interception of a communication by [a] person [other than an employee of a carrier]lawfully engaged in duties relating to the installation, connection or maintenance of equipment or a line, where it is reasonably necessary for the person to intercept the communication in order to perform those duties effectively;

There seems to be an argument that network-management-related and specifically network-security-related activities such as intrusion detection may fall within the ambit of maintenance of equipment. “Equipment” is defined as “…any apparatus or equipment used, or intended for use, in or in connection with a telecommunications network”.

The basis for this argument is the set of standards documents produced by the International Organization for Standardisation (ISO) for network management. Notable are ISO 7498-4 Management Framework and the subsequent documents Common Management Information Services and Protocols (CMIS/CMIP) and Common Management Information Services and Protocols for the Internet (CMOT and CMIP)(RFC 1189). These documents view the area of network management as embracing five core functions viz. fault management, accounting management, configuration management, security management, and performance management. Fault management, which is one of the key aspects of this framework, is defined as being the process of identifying and locating faults in the network. This could include discovering the existence of the problem, identifying the source, and possibly repairing (or at least isolating the rest of the network from) the problem. In a similar vein, security management is defined as the process of controlling (granting, limiting, restricting or denying) access to the network and resources thereon.

The task of repairing faults is one of the basic functions normally associated with maintenance. Hence there would seem to be a direct argument that fault management comes within the term “operation or maintenance” as used in the Act. However, another aspect of maintenance is preventative maintenance i.e taking action to prevent failure occurring. Necessarily, preventative maintenance involves some form of monitoring activity. Hence one could argue that intrusion detection systems (and large elements of the security management function) fall within the realm of preventative maintenance.

The counter argument should also be stated. The reference to equipment may be a reference only to equipment provided by a “carrier”, given the potential focus of the Act as earlier discussed. In that event a network administrator or other responsible person will (absent knowledge by the person making the communication) commit an offence under the Telecommunications (Interception) Act 1979 each time he or she deploys an intrusion detection system or knowingly allows one to be deployed!

In summary, the Telecommunications (Interception) Act 1979 is of direct and immediate relevance to the problem of deciding the legality of deploying an intrusion detection system. The Act appears to recognise and make allowance for the type of information-monitoring/recording activity which is integral to intrusion detection, provided it goes no further than maintenance needs. Whether such a conclusion has the support of the Courts remains undecided. No case coming before a superior Court has required an extensive examination and interpretation of the Act in this context. The Act was not originally designed to cover sophisticated data communications systems, and notwithstanding recent amendments its terms are clearly inapposite to the needs of the new millennium. Those involved in intrusion detection are entitled to be optimistic, but the law is notorious for its uncertainty in many areas and this is no exception. Nothing can be stated with clarity until a comprehensive revision of the Act is undertaken by the Commonwealth Parliament.

5.2 The Crimes Act 1914 (Commonwealth)

The Crimes Act 1914 deals extensively with “crimes” against computer systems including, in particular, the use of telecommunications services as a vehicle for undertaking such maleficent activity. Moreover, given its wide-ranging provisions, the Crimes Act 1914 is designed to be the primary piece of legislation under which prosecutions for such activity are mounted in Australia. However only one section of the act appears relevant to the focus of this discussion viz. a consideration of the legality of monitoring, collecting or recording information as part of network-management and network-security related activities such as deploying an intrusion detection system. This is section 85ZKB, which imposes a prohibition on interception devices. Basically this provision makes it unlawful for a person to manufacture, advertise, sell, or possess anything with the capability to intercept a communication in contravention of the Telecommunications (Interception) Act.

At first glance this section may be thought to render it unlawful to possess an intrusion detection system, on the ground that such a system is clearly capable of intercepting communications in a manner not consistent with the Telecommunications Interception Act. It is likely however that the section was not intended to have such a broad ambit, and that the Courts would have difficulty justifying an interpretation encompassing intrusion detection systems. A useful analogy is that of a standard domestic tape recorder. This is a benign device, although used in a certain way it is capable of intercepting communications in an unlawful manner. To do so its operator must take certain steps, and it would be untenable to suggest that possession of such a device is unlawful simply because such steps might be taken. The same is true of intrusion detection. The important issue here is the possibility of legally deploying an intrusion detection system under the Telecommunications (Interception) Act 1979, already discussed. If deployment passes the test for legality (as discussed above) then possession of the system is not thought to be subject to the Crimes Act 1914. Again however a caveat must be entered. There is no Court decision which positively interprets section 85ZKB in this way, and until there is one the possibility of a contrary conclusion must be acknowledged.

5.3 The Privacy Act 1988 (Commonwealth)

The immediate issue in relation to the Privacy Act 1988 is to decide whether or not an organisation under our assumed model comes within the narrow scope of the Act. The Privacy Act 1988 applies only to a specific set of organisations viz. what is termed an “agency” (basically most Commonwealth-government entities), a “(tax) file number recipient”, and a “credit reporting agency”. Also, to make matters slightly more complex, the Act operates differently depending on to which of these groups the organisation belongs. For example, the act is mostly about issues relating to the collection and use of “personal information” by “agencies” but has separate provisions for “tax file number information” collected and used by “(tax) file number recipients”.

The most likely situation in which the Privacy Act 1988 would apply is the somewhat restricted one of deployment of an intrusion detection system by a Commonwealth agency. The basis of this conclusion is that the type of information that would normally be collected by an intrusion detection system (and particularly the profiles of user behaviour synthesised by such systems) appears to fit the wide-ranging definition of “personal information” under the Act. Under the Privacy Act 1988, personal information is “information or an opinion whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.”

Information Privacy Principle 1 within the Privacy Act 1988 contains fetters on the legality of collecting information pertinent to the operation of an intrusion detection system. These are:

1. Personal information shall not be collected by a collector for inclusion in a record or in a generally available publication unless:

(a) the information is collected for a purpose that is a lawful purpose directly related to a function or activity of the collector; and

(b) the collection of the information is necessary for or directly related to that purpose.

2. Personal information shall not be collected by a collector by unlawful or unfair means.

In terms of this provision of the Act, the “function or activity” under which the information is being collected must, if exemption is to be attained, be one encompassed by the scope of the official role of the collector. Further, it must be necessary for the information to be collected in order for that role to be properly carried out. Hence the operation of an intrusion detection system in a public sector context seems to be problematically dependent upon the official nature of the person or organisation deploying it.

The legality of intrusion detection systems under the Privacy Act, even given the above requirement is satisfied, depends also on ensuring “unlawful or unfair means” are not employed. Unfortunately the Act offers no further assistance on the meaning of this phrase. However, if the system is deployed in all respects lawfully under the Telecommunications (Interception) Act 1979 as discussed above it seems the legality requirement would be satisfied. Whether the fairness requirement would be seen as requiring in addition a warning in the usual form to system users at logon is not clear. No case has interpreted the Act in this context and a decision must be awaited in due course.

It should be noted that Information Privacy Principle 1 deals only with the collection of information. Once data has been collected using an intrusion detection system, other Information Privacy Principles within the Act introduce strict provisions on the storage and use of the information. It is beyond the scope of this paper to consider those provisions.

5.4 The Invasion of Privacy Act 1971 (Queensland)

A common feature of all the Acts discussed so far is that they are Commonwealth Acts. However, various States have enacted pieces of legislation which potentially impinge on intrusion detection system deployment. Under section 43(1) of the Invasion Of Privacy Act 1971 (Queensland), “a person is guilty of an offence against this Act if the person uses a listening device to overhear, record, monitor or listen to a private conversation....”. The Act goes on to define both a “listening device” and a “private conversation”. The important point is that these definitions are cast in terms of recording verbal exchanges and have no direct data communications network connotations.

On this basis it is highly unlikely that this type of legislation, for which there are counterparts in most States, would apply to intrusion detection. This is perhaps fortuitous, because the Invasion Of Privacy Act 1971 (Queensland) is not as potentially forgiving as the Telecommunications (Interception) Act 1979 in sanctioning monitoring by third parties. In particular, unlike the Telecommunications (Interception) Act 1979, this Act neither makes provision for recording by a third party where such recording is done with the knowledge of the communicating parties nor does it offer exclusions for “maintenance”. The Invasion Of Privacy Act 1971 (Queensland) sanctions recording in situations only where the person using the listening device is a party to the private conversation; in situations involving the unintentional hearing of a private conversation; and in situations relating to law-enforcement.

6. Conclusion

This review has shown that provisions of the Telecommunications (Interception) Act 1979 are the most directly relevant to answering the general question as to the legality of deploying an intrusion detection system. In particular, the review shows that such activity (and similar security-related surveillance/monitoring/ recording activity) may be permitted provided it passes either of two tests. The first is the specific test that the person making the communication has knowledge that the process is occurring. For a large number of situations, the argument would be that the display of a “warning” screen at the time of initial connection would satisfy this requirement. However, as has been noted, organisations may be reluctant to display such a message since it is somewhat at variance with the notion of creating a welcoming “shop-front” to a commercial web-site. The second and more general test is that the actions associated with deploying an intrusion detection system come within the scope of the term “maintenance”. The arguments presented above suggest that this could be the situation.

This review has shown also that many Acts with the potential to impinge upon the legality of deploying intrusion detection systems were themselves intended by Parliament for different and, in some cases, unrelated purposes. The law in Australia in this area remains in an unsatisfactory state. Intrusion detection and similar activity has never been addressed in any coherent way by the legislators. As we enter the twenty-first century, the time has surely come to comprehensively review provisions enacted in light only of technological issues generated in the twentieth century. The law is notoriously slow to recognise change, and this area will prove to be no exception.

7. Acknowledgments

The authors are grateful to Dr Alison Anderson and Les Smith from the Information Security Research Centre at QUT for their comments and suggestions in preparing this paper.

8. References

1. Amoroso E, “Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Traps and Response”, Intrusion Net Books 1999

2. Amoroso E. and Kwapniewski R, “A Selection Criteria for Intrusion Detection Systems”, Proc. 14th Annual Computer Security Applications Conference, Phoenix AZ, Dec. 7-11 1998, pp. 280-288

3. Anderson, A M, Mohay, G, Smith, L, Tickle A B, Gillett, S, and Wilson, I “Moment of truth: the admissibility and weight of computer forensic evidence in the Australian legal system,” 11th Annual FIRST Conference and Workshop on Computer Security Incident Handling and Response, Brisbane, Queensland June 13th – June 18th, 1999,

4. Anderson, A M, Longley, D, and Tickle, A B “The Risk Data Repository: a novel approach to security risk modelling” Proceedings of the Ninth IFIP International Symposium on Computer Security (IFIP/ Sec'93) (May 1993) pp 179-188

5. Anderson, R “Recent Advances in Intrusion Detection”, Louvain-la-Neuve, Belgium, September 1998

6. Balasubramaniyam J.S,. Garcia-Fernandez J.O., Isacoff D., Spafford E. and Zamboni D. (COAST), “An Architecture for Intrusion Detection Using Autonomous Agents”, 14th Annual Computer Security Applications Conference, Phoenix Arizona, pp. 13-24

7. Butler, J “Contingency planning and disaster recovery strategies” Computer Technology Research Corp. 1994 pp5-20, 1998

8. Caelli, W J and Tickle, A B “Communications security” in Caelli, W J, Longley, D, and Shain, M Information Security Handbook Macmillan 1991 pp 649-706

9. Caelli, W J, Longley, D, and Tickle, A, B “A methodology for describing information and physical security architectures” in Gable, C G, and Caelli, W J (Eds.) “IT security: the need for international co-operation” Proc. IFIP TC11 Eighth International Conference on Information Security (IFIP Sec’92) Singapore (May 1992) pp 277-296

10. Caelli, W J, Edmond, D, Knight, E A, and Tickle, A B “Implications of the tax file number legislation for computer professionals” Australian Computer Journal Vol 22 No 1 (February 1990) pp 11-20.

11. Courtney, R H “Security risk assessment in electronic data processing” AFIPS National Computer Conference (1977) pp 97-104

12. Eloff, J H P, Holbein, R, and Teufel, S “Security classification of documents” Computers and Security Vol 15 No 1 (1996) pp 55-71

13. Endler D, “Intrusion Detection: Applying Machine Learning to Solaris Audit Data”, pp. 268-279, 14th Annual Computer Security Applications Conference, Phoenix Arizona 1998

14. Fitzgerald, J “The risk enhanced security review” Computer Fraud & Security Bulletin Vol 11 No 6 (1989) pp 13-17

15. Gurrie, E, Tickle, A B, Diederich, J, and Anderson, A M “Knowledge acquisition and the re-use of security knowledge” in Gappa, U and Voss, H (Eds.) Proceedings of the Knowledge Engineering Forum 95 - Concepts and Architectures for Reuse March 30-31 St. Augustin: Germany (1995a) pp44-50

16. Gurrie, E, Diederich, J, Tickle, A B, and Anderson, A M “KARDS: hybrid knowledge acquisition for a security risk model” IEA-AIE (June) Melbourne Australia 1995b pp501-506

17. Keen, P G W “Telecommunications and organisational choice” Communications Research Vol 14 No 5 (October 1987) pp 588-606

18. Keen, P G W “Competing in time: using telecommunications for competitive advantage” Ballinger (Harper & Row) (1988)

19. Lee W, Stolfo S and Mok K, “A Data Mining Framework for Building Intrusion Detection Models”, to appear in the Proc. 1999 IEEE Symposium on Security and Privacy, 1999

20. Penzias, A “Ideas and information: managing in a high-tech world” Norton (New York) 1989

21. Schweizer, P “Friendly spies: how America's allies are using economic espionage to steal our secrets” Atlantic Monthly Press (1993)

22. Sommer, P “Risk assessment for con loss insurance” Computer Fraud & Security Bulletin Vol 11 No 4 (1989) pp 12-14

23. Sommer P., “Intrusion Detection as Evidence”, RAID’98, University of Louvain-la-Neuve, Belgium, Sept. 1998

24. Spafford E., “The Internet Worm Program: An Analysis”, Computer Communication Review, Vol. 19, No. 1 (1989)


[*] i.wilson@qut.edu.au

Faculty of Law Queensland University of Technology

Box 2434 GPO Brisbane

Queensland 4001, Australia

[**] ab.tickle@qut.edu.au Machine Learning Research Centre

[***] Faculty of Law

[****] g.mohay@qut.edu.au School of Computing Science


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/JlLawInfoSci/1998/16.html