22 August 2014
Mr Ben Fairless
Sent via email:
xxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx
Our Ref: FOI1415/5.13
Dear Mr Fairless,
FOI Application – IT Infrastructure Information - Decision
I am writing in relation to your request made under the
Freedom of Information Act, 1982 (
the FOI Act), seeking
access to information relating to NBN Co’s IT infrastructure.
The Statement of Reasons (
Attached) outlines the specific terms of the FOI request, the decision-maker’s findings
and the access decision. For your reference, the FOI decision is subject to review under sections 53A and 54 of the
FOI Act. The Office of the Australian Information Commissioner’s
FOI Fact Sheet 12 – Your review rights is attached
for your information and may be found at the followi
ng link.
If you have any questions, need to discuss your FOI application or require any other information relating to this
matter, please feel free to contact the writer on Tel. (02) 89185670 or via email
on xxxxxxxxxxxxxx@xxxxx.xxx.xx.
Sincerely,
Yvette Deerness
A/GM Legal Counsel
FOI, Privacy and Knowledge Management
cc. Justin Forsell, Chief Legal Counsel, NBN Co
PHONE
(02) 9926 1900
FAX
(02) 9926 1901
EMAIL
xxxx@xxxxx.xxx.xx
WEB
www.nbnco.com.au
LEVEL 11, 100 ARTHUR STREET, NORTH SYDNEY NSW 2060
NBN Co Limited ACN 136 533 741 © NBN Co 2013
FREEDOM OF INFORMATION REQUEST – 1415/5
Mr Ben Fairless
ACCESS DECISION
STATEMENT OF REASONS
Application Chronology and Terms of Request
1. On 17 July 2014, NBN Co received an email from Mr Ben Fairless of the “Right to Know” website (
Applicant), in which he
made an application under the
Freedom of Information Act, 1982 (FOI Act or Act) for the following:
Records detailing the IPv4 (and if relevant, IPv6) addresses used to access the public internet from within your network. To
clarify, these are the public facing addresses of your private network. I am only requesting addresses that are used to
access the general public internet. In addition, if it is such that a particular IP address serves a particular area within your
department (for example, one IP address is used for Media Relations, while another is used for Ministerial
Communications), I also request access to this information.
2. On 24 July 2014, NBN Co staff acknowledged receipt of the Applicant’s application as required by section 15 of the Act and
informed the Applicant that a determination would be due on 15 August 2014, subject to any suspension of the processing
period due to requests for charges or third party consultations.
3. On 29 July 2014, the Applicant sent an email to NBN Co requesting that the Application be treated as a request for
administrative access.
4. On 8 August 2014, NBN Co sent the Applicant a request for an advance deposit, in accordance with subsection 29(1) of
the Act. In the same correspondence the Applicant was advised it had been decided that the Application could not be
processed under administrative access procedures, as it was not the sort of information that the company would release on
a regular basis. In a subsequent teleconference, the Applicant spoke to NBN Co staff and made contentions regarding the
processing fees and questioning the amount of decision-making time. NBN Co staff confirmed that the decision-making
time was required.
5. On 11 August 2014, the Applicant had paid the advance deposit.
6. On 22 August 2014, I forwarded this decision to the Applicant.
Summary of Access Decision
7. Under section 3(1)(b) of the FOI Act, the public has a right to seek access to “documents”, rather than discrete bits of
information. Notwithstanding this point, section 17 of the FOI Act enables Government authorities to provide applicants with
information, where such information is not available in a discrete written form and where the information is “ordinarily
available to the agency for retrieving or collating stored information”. Following receipt of the Applicant’s request, NBN Co
staff undertook relevant searches and advised that the information requested was not available in a discreet form however,
PHONE
(02) 9926 1900
FAX
(02) 9926 1901
EMAIL
xxxx@xxxxx.xxx.xx
WEB
www.nbnco.com.au
LEVEL 11, 100 ARTHUR STREET, NORTH SYDNEY NSW 2060
NBN Co Limited ACN 136 533 741 © NBN Co 2013
it was possible to create an appropriate document containing the information falling within the scope of the Application (
IP
Address Information).
8. As an FOI decision maker, it is open to me to consider whether the information falls within the terms of section 7(3A) of the
FOI Act – NBN Co’s commercial activities exemption (
CAE) – and is, therefore, not subject to the operation of the Act.
General background information regarding NBN Co’s FOI processes and the principles underpinning NBN Co’s commercial
activities exemption may be found at the followin
g link. It is my decision that the IP Address Information falls within the
CAE.
9. It is also my decision that section 33(a)(i) of the Act (National Security) applies to the IP Address Information, and the
disclosure of the IP Address Information would, or could reasonably be expected to, cause damage to the security of the
Commonwealth.
10. Other potential exemptions could apply to the IP Address Information either in whole or in part. In my opinion, it is
unnecessary to consider these exemptions as the IP Address Information is already exempt from the operation of the FOI
Act as per the CAE and section 33(a)(i) of the Act.
Reasons for FOI Decision
Application of the FOI Act - Commercial Activities Exemption
11. As outlined above, I refer you to a summary explanation regarding NBN Co’s CAE, found at the followin
g link. It is my
decision that the IP Address Information falls within the CAE and as such is not subject to the operation of the FOI Act. I
base my decision on the following conclusions:
There could be a direct correlation between making the IP Address Information available and the ability to
aggregate information regarding NBN Co’s IT infrastructure. This in turn could increase the risk of targeted denial
of services attacks on NBN Co.
Denial of service attacks impact the NBN Co’s IT systems, which in turn could slow down the rollout of the
national broadband network. Slowing down the rollout could undermine NBN Co’s ability to maximise returns for
our Shareholder Ministers and, ultimately, the return on investment for Australian taxpayers.
An increased exposure for NBN Co to denial of service attacks could, in turn, increase the efforts and resources
NBN Co will need to put into defensive security measures. This would undoubtedly increase NBN Co’s security
costs which again could undermine NBN Co’s ability to maximise returns for our Shareholder Minsters and, the
Australian taxpayer.
General Exemption – Affecting the Security of the Commonwealth
12. Section 33 (a) (i) of the FOI Act exempts documents from disclosure if such disclosure could damage the security of the
Commonwealth. An extract of the relevant section below for reference:
33 Documents affecting national security, defence or international relations
A document is an exempt document if disclosure of the document under this Act:
(a) would, or could reasonably be expected to, cause damage to:
(i)
the security of the Commonwealth; …
13. I am of the opinion that the IP Address Information falls within the section 33(a) (i) exemption. In reaching my decision,
guidance was sought from the Attorney General’s Department and I also referred to advice provided by NBN Co’s security
experts. Drawing on the points made in relation to the CAE exemption above, particularly the point that there could be a
direct correlation between making the IP Address Information available and the ability to aggregate information regarding
not only NBN Co’s IT infrastructure, but the IT infrastructure across multiple Commonwealth government agencies. This in
turn could increase the risk posed of a targeted denial service attack on NBN Co. Likewise, such release could increase the
risk of a targeted denial of service attack on multiple government agencies. For these reasons it is my decision that the IP
Information is exempt because disclosure either would, or could reasonably be expected to, cause damage to the security
of the Commonwealth.
Other Exemptions
14. I am of the view that other exemptions under the FOI Act could apply to the disclosure of the IP Address Information,
including the section 47E(d) public interest conditional exception, i.e
would, or could reasonably be expected to, have a
substantial adverse effect on the proper and efficient conduct of the operation of an agency [i.e NBN Co]. However, it is my
opinion that it is unnecessary to consider such exceptions in light of my view that the IP Address Information is already
exempt as per CAE and section 33 (a) (i) of the Act.
Processing Charges
15. NBN Co staff spent approximately half an hour in sourcing the relevant information. In addition, I spent approximately eight
hours in drafting and finalising this FOI decision, as well as completing relevant correspondence and undertaking
discussions with experts in our business regarding the IP Address Information.
16. It is NBN Co’s general policy to charge applicants for FOI processing time. In its
Submission to the OAIC Charges Review,
NBN Co outlined its support of fees and charges and their importance to the FOI scheme. In the Advance Deposit Request
sent to the Applicant in early August, estimated processing charges of $67.50 were detailed. The Applicant paid the
advance deposit of $20 leaving a final amount owing of $47.50. It is my decision to waive the remaining amount. This fee
waiver is permitted by Regulation 3 of the
Freedom of Information (Charges) Regulations 1982, which provides decision-
makers with a general discretion to impose or not impose a charge, or impose a reduced charge for the processing of an
FOI request.
Right of Review
17. If you are dissatisfied with this decision, you have certain rights of review. Details regarding your rights of review and
appeal are outlined in the covering letter, provided with this Statement of Reasons.