Environment and Communications References Committee – Triple Zero service outage
CHAIR: Welcome. I understand information on parliamentary privilege and the protection of witnesses giving evidence to a Senate committee has been provided to you. Have you got an opening statement for us?
Mr Coleman: I do.
CHAIR: We’ll go to that and then to questions.
Mr Coleman : Good afternoon, senators, and thank you for the opportunity to appear today. I open by putting the recent triple zero outage into context. The triple zero service that exists today exists in a completely different world to when it was introduced in 1961. Triple zero was introduced in an environment where we had one fixed-line network operator and just one type of home telephone. Today we have three national mobile networks; a new nation fixed-line network in the NBN; tens of thousands of different mobile phones; and new ways of connecting to triple zero, including via smartwatches, wi-fi and even satellite. This competitive market has delivered enormous benefits for Australians but also created a complex ecosystem of the triple zero service, with various responsibilities on networks, device makers and emergency services operators. The regulatory environment in this complex ecosystem has improved since the 2023 Optus outage and the Bean review, which sets the scene for recent events.
Where does the Australian Telecommunications Alliance fit into this? The ATA is not a lobby group. Under the Telecommunications Act we are recognised as a body responsible for the development of industry codes and also an approved standards development organisation to make technical standards. The ATA was tasked with delivering three of the Bean review’s 18 recommendations. First, we developed an industry code which facilitates testing arrangements between mobile network operators and a controlled test facility to run six-monthly tests on devices and networks with simulated outages. This work is supported by the Device End-to-End Service Testing Group, which includes telcos and device makers. Second, we updated the Australian standard for mobile devices to strengthen testing requirements for emergency calls, including testing of camp-on features when a device’s home network is down. Third, we updated the Emergency Call Service Requirements Code and introduced new technical guidelines to include requirements for remote access to network management tools during a network outage.
Recent events have shown there are further improvements that could be made to the regulatory framework. Today, mobile devices are effectively self-certified. There is no public record of devices that have the regulatory compliance mark, and there is no auditing process to verify compliance. That’s why the ATA has recommended in its submission the establishment of a public device register. This would establish a public list of devices that have been certified as compliant with regulated technical standards and would provide consumers, industry and regulators with a single authoritative source of information on device compliance. I welcome the committee’s questions.
CHAIR: Thank you. Senator Henderson.
Senator HENDERSON: Good afternoon, Mr Coleman, and thank you very much for joining us. We are inquiring into these matters, concerned about what needs to change. Many things went wrong on 18 September, and we’ve learned today of another death involving a customer using a defective Samsung device. Could you provide this committee with more information about why a device register is required.
Mr Coleman: The reason we’ve proposed a device register is that, today, when a device maker goes to sell a mobile phone in the Australian market, they check that phone against technical standards—effectively a tick-list of things that that mobile device needs to comply with. Once they have assured themselves that that device is compliant with the relevant standards, they give themselves the regulatory compliance mark. We call that the telecommunications labelling notice, or the TLN. Once that has occurred, the device can be sold in the Australian market. There is no public record or public register of devices that have received the regulatory compliance mark. The only regulatory obligation on the device makers is that they need to provide, on request, that certificate of compliance to the regulator, the ACMA. We think that having those results available publicly—of the devices that have received the regulatory compliance mark—would give better information for industry, consumers and the regulator alike to see which devices have given themselves the compliance mark.
I think there is an issue that has come up through Optus’s own submission. They’ve noticed that a number of devices behaved differently during the outage. There are global standards that those devices may have complied with. Those devices may have even been in compliance with local standards, but they could have been sold a number of years ago, and they still did not behave as they should have. This register would not be a silver bullet, but it would give a greater degree of public visibility over which devices have received that regulatory compliance mark.
Senator HENDERSON: At the end of the day, this is about ensuring Australians can call triple zero in times of emergency. Would a central device register assist consumers in understanding whether they have a defective device? That still appears to be a very live issue.
Mr Coleman: I think that consumers having visibility of which devices have received the regulatory compliance mark is going to put them in a much better position. One of the issues that we face today—certainly, it was an issue that came up in the recent Optus outages—is that there are tens of thousands of devices being used on networks today. Some of those are sold in Australia through mobile operators. Some of those are brought in through the grey market, which we’ve heard about in previous submissions and earlier this morning. Devices can come in internationally. They may not be compliant with the Australian standard. If there are tens of thousands of devices out there, mobile network operators do not have the capacity to test all of those tens of thousands of devices that are on their network. The mobile network operators have said today that they test the devices that they sell through their own shops. But anybody can come into Australia off an international flight, put in a local SIM card and start using that device. The public device register would give consumers a greater degree of visibility of which devices are self-certified as compliant.
Senator HENDERSON: Shouldn’t there be a regulatory requirement where our carriers are required to test every device to ensure that triple zero can be reached in times of emergency? Isn’t that a big issue? We’ve heard evidence from Samsung that 71 different models were not compliant—sorry, that 71 different models were not able to be used to call triple zero. You represent the telecommunications carriers in this country. Why haven’t they been more proactive?
Mr Coleman: We do, to a degree, already have regulations on carriers when it comes to blocking devices that they know have an issue connecting to triple zero. We’ve spoken about the emergency call service determination already today. Once a carrier has the knowledge that the device may have an issue calling triple zero, they have an obligation to inform customers and to block that device within 28 to 35 days.
That is a very different proposition to expecting carriers to test every single device in the Australian market. Not only are there tens of thousands of potentially different devices but each software version on those devices can lead to different behaviours. For a single phone model you might have software versions 18.1, 18.2 or 18.3 that can potentially change the behaviour of that device. If there were an expectation on mobile network operators to test every single device used on their networks, that would constantly require retesting of devices whenever there was a new software update. You would have the problem of international devices coming in and the software version they were on. Do mobile network operators even have access to those devices to test them?
I think that the regime that we have in place today, where mobile network operators have an obligation to communicate with customers and to block devices that are known to have an issue, is the right environment. To expect operators to test every single device on the network, knowing that that would be a never-ending process, when there are constant software updates, would be extremely onerous. It would inevitably lead to price increases for consumers, both for devices and for access. That wouldn’t be a great outcome for consumers. So I think this gets the balance right in the current regulatory approach.
Senator HENDERSON: Mr Coleman, Samsung advised the carriers back in 2023, prior to the 3G network being shut down, that there were 71 different models that could not be used to connect to triple zero. Why didn’t the carriers act then to block those devices? It’s now a regulation, which wasn’t passed until last year, but it seems to me that there was a list of devices known to be non-compliant or known not to work on triple zero. Why didn’t the carriers simply block those devices as soon as they knew about them?
Mr Coleman: As I understand it, the mobile carriers only became alert to the issue at the end of September this year, that they were not aware of it during the 3G shutdown when it occurred. So that would be a question for the carriers or for Samsung about the degree of knowledge they may have had back then. My understanding was that this issue only came up towards the end of September, when they realised there was an issue with camp-on onto Samsung, and that immediately initiated the blocking process. We heard from carriers that they’ve already commenced blocking.
I’ll just pause on that for a moment because this opens up a conversation about the regulatory compliance framework. When a device is sold in Australia and receives the regulatory compliance mark, which is regulated by the ACMA, that occurs at a point in time when the device is sold. It is not retrospective. If you start selling a device in 2017, it receives the compliance mark at that point in 2017. It does not need to go back and receive the compliance mark again after a software update, only when the model is sold in the market. This is something the regulator has been consulting on the issue of grandfathering, as we call it. If a device continues to be sold in the market for a number of years—maybe it’s three years; maybe it’s five years—do you need to go back and recertify that device against an updated version of the standard? Following the Bean review into the Optus outage of 2023, we updated the standard. So there are now more rigorous testing requirements for devices when it comes to camp-on, but that is a new requirement in the updated standard. We’ve acknowledged in our submission that that compliance mark is received at a point in time; it does not need to be rechecked.
Senator CADELL: So it’s basically like an ANCAP rating on a car. If I get a five-star rating in 2020, I would not get a five-star rating now. Just because it was at that point in time—best practice and work—doesn’t mean it’s the same rating now. So you’re contesting going forward in incremental lots to check that compliance and do that recertification.
Mr Coleman: It’s a great analogy. If your car got certified in 2015, or whenever it was, you can continue to drive that car on the road. Even though the standard gets upgraded, you don’t have to go and hand that car back in or go out and get forced to buy a new car. That would have a huge cost on you to do that. That’s the same case here with device standards. They meet the standard at the time they are sold in the market. If a consumer continues to use that device 10 years later, then it may not be compliant with the current standard and it doesn’t need to recheck against the current standard. But what the regulator has been consulting with industry on is: should there be some kind of grandfathering clause that would mean a device needs to be rechecked if it continues to be sold?
Senator CADELL: It’s like after five years you’ve got to get a pink slip on your car.
Mr Coleman: There you go. The thing to remember is that, in Australia, we are a very modern market. Most handsets that are sold will not be in the market for years and years. As soon as the new iPhone or the new Samsung Galaxy comes out, previous models very quickly exit the market. So, if there were to be a grandfathering position, its efficacy would be limited by how long those phones were being sold. In other countries, phones might be sold for much longer on the market, but, in Australia, it would really be dependent on how long phones continued to be retailed and whether they would need to be retested for compliance again.
Senator HENDERSON: Mr Coleman, you may need to take this on notice. Samsung provided the carriers and the regulator with information back in 2023 about the 71 defective models of devices—10 of which are not capable of being upgraded, 61 of which are capable of being upgraded. For whatever reason, the carriers did not blacklist those devices straightaway. It’s my understanding that the reason they didn’t do that is that they weren’t properly identifying which devices had actually received a software upgrade. So, in other words, they were seeking the wrong information. The carriers weren’t implementing the appropriate methodology insofar as their responsibility to identify devices which had and had not been upgraded. If you can respond to that now, that would be fine; otherwise, please take it on notice. I think it was only in October, when Samsung advised the carriers that they were actually implementing the wrong methodology, that the big light went on and there was new information about what the carriers were doing wrong. So could you come back to this committee with some clarity in relation to that matter. Australians will be asking about this. There was a list of defective devices. The carriers knew about that list, and yet they weren’t upgraded or blacklisted appropriately at the time. Now, of course, we’ve had this terrible situation evolve in the last couple of months.
Mr Coleman: My understanding is that the carriers only became aware of that situation towards the end of September, after the Optus outage occurred. On what Samsung had mentioned before, I’m not familiar with the background of what information was provided to carriers in 2023. I simply can’t comment, because I don’t know and we wouldn’t have been a part of that process. All I can comment on is the fact that, once the carriers became aware of that information, which to my knowledge was toward the end of September this year, following the Optus outage, they then commenced that process of device blocking where necessary for devices that couldn’t be upgraded and device upgrades or customer information regarding device upgrades for devices that could be upgraded after that point. I don’t have any visibility of the information that was conveyed to carriers back in 2023.
Senator HENDERSON: What I’m putting to you—and, of course, we haven’t been able to put it to the carriers, because they appeared before Samsung—is that the carriers were using the incorrect methodology to identify which devices had been upgraded. It goes back to perhaps the broader question. Irrespective of which devices were upgraded and which weren’t on the list of 71 defective models, why weren’t the carriers screaming this from the rooftops? Why weren’t they demanding a public awareness campaign? You represent the carriers as part of an industry association, but what steps did the carriers take to alert Australians to this potentially life-threatening situation? In answering that question, could you also address any representations which were made to the ACCC in relation to a device recall?
Mr Coleman: The carriers have communicated with affected customers here. When you mention a public education campaign, I think there’s a strong argument that they have already undertaken a public education campaign, because they have contacted every affected individual. Every individual that has a device that either has to be blocked or can be upgraded has been notified by their carrier. There is a regulatory obligation on carriers to send several notifications to that customer before—
Senator HENDERSON: It was only when they found out, though. That’s the key issue, and that’s what I’m asking you to perhaps take on notice. They didn’t alert all customers who had one of those 71 models, in the case of Samsung, at the time that they first got that list. So I would like you to provide the committee with any more information through your members. But, going to the public awareness campaign, there are thousands upon thousands of Australians who had defective devices who didn’t know about it. And, yes, the carriers are saying, ‘We didn’t know, and therefore we couldn’t tell our customers,’ but what I’m putting to you is that the reason they didn’t know is that they were using the wrong methodology to identify which devices had been upgraded and which hadn’t.
Mr Coleman: I would say that once the carriers did know—which again, to my understanding, was toward the end of September—they did communicate directly with those customers.
Senator HENDERSON: But my point is that they should have known a lot earlier. What I’m saying—and, again, you are running the industry association—is that it appears that the carriers were using the wrong methodology to identify which devices had had the software upgrade. Therefore, there were thousands upon thousands of defective devices in the market which had not been blocked, and it’s because the carriers didn’t implement the correct methodology. Again, I go back to that issue: why didn’t the carriers raise the red flag? I’ve been critical of the government and the regulator in that there was no major public awareness campaign. 3G was being shut down, with hundreds of thousands of devices defective. Why didn’t the carriers do more to alert Australians about this very serious situation?
Mr Coleman: The statement around the methodology and the testing of devices that might have occurred in 2023 is information that has come up during this hearing today. I think we need to test that information to see what was shared and tested at the time. It is certainly true that the carriers blocked a large number of devices around the time of the 3G shutdown—devices they knew would not be able to call triple zero, because they used 3G fallback, for example, were blocked at the time. Carriers put forward the view that, as soon as they were notified of this particular issue that came up with Samsung, they immediately met the requirements of the emergency call service determination. The Telstra CEO certainly said earlier today that they have been compliant since they became aware of that issue. We would need to test what the information was that was shared back in 2023 that was put to the committee today that wouldn’t have led to devices being blocked at the time, because the carriers put forward the view that they were unaware at the time that those devices would need to have been blocked.
Senator HENDERSON: Going back to my other question about the public awareness campaign, through your association, was there ever a recommendation for a public awareness campaign? And what was the nature of the representations made by the carriers to the ACCC for a device recall?
Mr Coleman : When it comes to the public education campaign, at the time of the 3G shutdown—we have two separate issues. The first is the 3G shutdown. The carriers were required to do a public education campaign at the time of the 3G shutdown. They had requirements for how many Australians that campaign would need to reach in terms of the population that would need to be reached by that public awareness campaign. That was undertaken by another industry association working with the mobile carriers. It predates my time, but I am aware of that public education campaign being a requirement of the 3G shutdown. There is then a separate issue of devices that are now known to have issues connecting to triple zero if they use 3G fallback. While there is not a specific public education campaign in terms of advertising or mass media buyers, that is because there is a direct requirement on carriers to contact individuals that are affected. I would argue that is the most important form of communication. If you can go directly to the affected consumers, then there shouldn’t be a requirement for a public education campaign that’s going to be informing people that aren’t affected. That’s if the people who are affected are directly contacted several times as a regulatory requirement, and it’s the carriers telling those customers they need to upgrade those devices. And, on the ACCC issue, we have not been involved in any requests to the ACCC for a device recall. I’m sorry—I can’t comment on that.
Senator HENDERSON: ‘We’ being your association?
Mr Coleman: My association, yes. We have not been involved in any calls for a device recall with the ACCC.
Senator HENDERSON: So you made a recommendation for a central device register. In light of the work you’ve been doing and what you’ve heard today, what other changes do you think need to be made to the way the carriers are currently regulated or in any other respect? For instance, Telstra did not tell TPG about the death on 24 September. They relied on NSW Ambulance to call the regulator. That seems completely inadequate.
CHAIR: We’re going to have to change.
Mr Coleman: I’ll quickly respond to that one. The device register will give the public an extra degree of assurance around devices that they are purchasing being compliant. Another measure that industry is doing off its own bat will be sharing information about devices with known issues. You’ve heard from the carriers in this committee that they all do their own, individual testing of devices on their networks. There hasn’t previously been a formal way for that information to be shared, so the carriers are seeking to establish a known-issues register so that information on any devices that are discovered, such as with the Samsung issue that occurred in late September, is shared between carriers. They can all then take action against any devices that are known to have issues.
Senator HENDERSON: Thanks, Mr Coleman.
Senator CADELL: Your point-in-time analogy is where I’m going to go a bit. Having a device register like this would not, by itself, have prevented what happened in the Optus outage; you just would have been aware. Those devices were sold correctly at the standard to get onto the triple zero network at that point in time; they just hadn’t kept up to date. Is that correct?
Mr Coleman: That’s right. By no means am I saying a device register is a silver bullet here. It would be a list of devices that have received a regulatory compliance mark and when they received it. We have not put the view that this register would necessarily be audited on a regular basis. This is the problem we have with the regime today: it is not audited. There is carrier testing and UTS testing, but there is no formal auditing mechanism for devices that have received the regulatory compliance mark. What we are doing is providing additional transparency so that a customer can see when the device received the regulatory compliance mark, that it’s ticked all the boxes and that it should be able to add on all of those other things, because at the moment there is no public source of that information.
Senator CADELL: The other point is on the grey area of blocking. We talked about legislation where phones that can’t access the system have to be blocked. On the ones that haven’t been updated, the numbers I just got from Samsung are amazing—1.6 million handsets have been updated and 98,000 of the same type haven’t. So, when you have blocking of phones that can’t access the system, it is ones that are technically incapable of it, not those that have taken up the option—is that correct? Or should those updated ones be blocked and then couldn’t be updated? What is the law there? What is the ruling there?
Mr Coleman: The rule is that, once a carrier becomes aware of a device being unable to make a triple zero call—
Senator CADELL: No matter what it is? My new Apple phone could be blocked if I had the wrong settings on or something like that, could it?
Mr Coleman: If any device is known not to be able to call triple zero and a carrier is aware of that, they have an obligation to block it within 28 to 35 days. So the customer needs to be notified of that. It does depend on when the carrier becomes aware of that issue, but that device blocking must occur.
Senator CADELL: I’m aware in all smart devices nowadays you can force an update.
Mr Coleman: You can.
Senator CADELL: But that comes with its own risks. What if I’m making a triple zero call while the update is being done and it’s an hour offline and I’m not on wi-fi? It comes with its own problems, doesn’t it?
Mr Coleman: This is something that has been discussed—should handset makers, whether it’s Samsung or any handset maker, for that matter, if they become aware that a software update could fix a phone’s inability to call triple zero, force it out to consumers? It should not. Why? You don’t know at that time if that consumer is trying to call triple zero, and their phone will get bricked for however long it might take to upgrade that phone. Equally, in some cases, your phone needs a certain amount of storage to do that upgrade. If you try to force that upgrade and the phone does not have sufficient storage to do it, you could potentially brick that device. That is a very bad consumer outcome in any of those cases. You can imagine that there would be a lot of different situations where a forced upgrade would be very disruptive for a consumer.
Senator CADELL: Like when we see ‘Your Outlook’s about to update in five minutes’ and we swear at the computer.
Mr Coleman: Exactly. It’s very similar, with potentially life-threatening consequences in the case of handsets. So we think the current regulation gets the balance right. It informs consumers multiple times of their need to upgrade the device at a time of their own choosing. Then, if they fail to upgrade the device within a set timeframe that is regulated, only then is the device blocked. I think it gives consumers adequate information about the need to upgrade without going too far in forcing it, which could be extremely disruptive and could lead to worse outcomes for consumers.
Senator CADELL: I asked this question of Samsung. Their name is linked to this, but we have the Google Pixels, Motorola, Apple and all these other handset manufacturers. Is there any knowledge that you have of any other handset manufacture having a similar problem?
Mr Coleman: The mobile network operators routinely test devices on their networks. If the problem was identified, as has occurred in this case with Samsung, they would immediately need to act on that. I am not aware of any other issues that have come up through the MNO testing of handsets. We now have a facility for MNOs to be able to share that information between them if they become aware of any issues with devices. That information sharing is yet to commence, but, if there were any known issues with devices, that information would be shared between carriers.
Senator CADELL: Last question. We had a TIO recommendation that the triple zero investigator or ombudsman or—what is it?—compliance officer be put under NEMA, not under the communications department. Have you looked at that? Do you form a view on that? Does your alliance have a view on that?
Mr Coleman: The custodian has now been established under the department of communications. That was a decision of the government. We’ll work cooperatively. We don’t have a view as to the TIO’s recommendation—whether it was NEMA or the department. The important thing is that it’s been established now. That’s a good development. It was one of the recommendations of the Bean review, and we’re working with them now.
CHAIR: Thank you, Mr Coleman. We appreciate your time today. I think there are some questions you’ve taken on notice. We look forward to getting the answers.
Mr Coleman: Thank you, Chair.
