Mandatory Data Retention

Metadata mission creep? Who would have thought?


The latest proposal from Victoria Police to monitor mobile phone use highlights the danger of mission creep under mandatory metadata retention laws:

The so-called textalysers… are able to analyse metadata to determine whether someone was using their mobile phone at a specific time – while driving, for example.

… The model proposed by New York authorities involves the analysis of a mobile device’s metadata after a road incident to determine whether the device had been used in the lead up to the event.
… Privacy laws are slowing progress of the proposed new legislation, although Israeli company Cellebrite, which produces the technology, claims that the textalyser system doesn’t have the ability to read the content of text messages and social media updates, but rather to determine whether the device was used at a certain time to send text messages.

However, Australia’s new metadata retention laws, which allow for the time and basic surface details of every message sent to be stored and made available to law enforcement agencies, could speed the technology’s introduction here.

While the government justified the introduction of metadata laws largely to fight terrorism, the inherent danger with gathering mountains of personal data (beyond privacy and data security issues) is that once it exists other entities will inevitably demand access (see that list here).

In fact, the IPA’s Simon Breheny predicted this as early as 2012, and the IPA’s Chris Berg warned about the likelihood of the compulsorily acquired metadata being used for purposes other than national security at the time of its introduction in 2014:

A lot of opponents of data retention have pointed out that this creates a very real risk of unauthorised access. It’s hard to keep data secure.

Yet just as concerning is authorised access. Once these databases have been created they will be one subpoena away from access in any and every private lawsuit.


The many, many government agencies requesting warrantless data access

On FreedomWatch last year, Chris Berg said this:

Under the data retention bill passed earlier this year, the number of agencies with access had been strictly limited to criminal law enforcement agencies. As the IPA argued at the time, this was almost certain not to last – regulators across the country have been chomping at the bit for years to get a hold of our internet records, and it would be trivially easy for this or future governments to quietly reinstate these agencies into the data retention scheme.

And those regulators have wasted no time in requesting to be given this access. According to information released under freedom of information laws, an extraordinary 61 agencies have already sought authorisation to access telecommunications data held under the federal government’s 2015 mandatory data retention laws.

You can see the full list here.

We are seeing now how this legislation highlights the expansive nature of the modern government. You might be aware that the state and federal governments have created a plethora of bodies with dubious public benefit. For example. the various state governments bodies specifically dedicated to regulating greyhound and harness racing, or the Commonwealth’s National Measurement Institute, which exists to maintain “Australia’s units and standards of measurement”. What you might not have known is that these bodies (and even non-government entities, such as the RSPCA) have decided that they need warrantless data access to carry out their work.

For many of these agencies, that can hardly be the case. Can you imagine what laws the NMI enforces that would require data access at all?

If these agencies need access to data, they should be told to get a warrant.


Government agencies requesting data access without a warrant


The ease with which the government would resort to undermining the privacy of its citizens just to make regulatory enforcement slightly easier is deeply concerning.

Since as early as 2012, the IPA has warned mandatory data retention would not be used solely for national security purposes.

Now, it is being reported that Primary Industries and Regions SA is seeking to become the next agency which can access retained data without requiring a warrant.

They can join this list of government agencies who should be told if they want data access, they should get a warrant:

Continue Reading →


Is this the next step, following mandatory data retention?

Draft national security legislation revealed last Friday would add little value to Australia’s efforts to combat terrorism, and will be a significant regulatory burden on the telecommunications sector.

According to the exposure draft, the Telecommunications and Other Legislation Amendment Bill 2015 would if passed compel carriage service providers to “do their best” to

protect telecommunications networks and facilities from unauthorised interference, or unauthorised access, for the purposes of security. Carriers and carriage service providers must notify changes to telecommunications services or telecommunications systems that are likely to have a material adverse effect on their capacity to comply with this duty 

Since such service providers would naturally “do their best” to see that their networks are uncompromised, it is unclear what is added by the bill. It is fuzzy law at best, and would be remarkably difficult for a person to know if they are meeting their legal obligations.

While the national security benefits are unclear, the proposed regulatory burdens are not. For instance, section 314A(3) of the bill requires carriage service providers to notify the government (the “Communications Access Co-ordinator“) of its intention to implement a change to telecommunications services. Sections 315A and 315B could potentially see the Attorney-General issue directions to carriage service providers to “cease using or supplying… carriage services” or “to do, or to refrain from doing , a specified act or thing within the period specified in the direction.”

From mandatory data retention, to online piracy legislation, 2015 has seen a suite of burdensome but ineffectual laws passed at the intersection of technology, telecommunications and national security. If passed, these new proposals would add to that list.


Racing integrity commissioner to have access to retained data?


Sal Parna, Victoria’s Racing Integrity Commissioner

Politics, like comedy, is about timing. This week Melbourne has been under its usual racing induced fever. So Victoria’s Attorney-General Martin Pakula took the opportunity on Monday to publicly appeal to the federal government that the Victorian Racing Integrity Commissioner be reinstated as one of the authorised agencies for warrantless access to telecommunications data under the data retention scheme.

Under the data retention bill passed earlier this year, the number of agencies with access had been strictly limited to criminal law enforcement agencies. As the IPA argued at the time, this was almost certain not to last – regulators across the country have been chomping at the bit for years to get a hold of our internet records, and it would be trivially easy for this or future governments to quietly reinstate these agencies into the data retention scheme.

Mandatory data retention is a rolling violation of our privacy. Is such a violation justified in order to protect the “public confidence” in the racing industry?  There are more fundamental issues of public confidence here – the public’s confidence that the government is not routinely harming the privacy of its citizens just to make regulatory enforcement slightly less bureaucratically onerous. If the Victorian Racing Integrity Commissioner needs to access data, they ought to get a warrant.


Mandatory internet data retention comes into operation today

Simon Breheny and I have been arguing the case against data retention since it was first mooted by the Gillard government – it violates the privacy of every Australian just in case they are later accused of criminality, it will be used for more than just anti-terror policies, and there are alternative policies and approaches which better respect individual liberty. You can read the IPA’s submission to the parliament’s data retention inquiry here.

But all the critiques aside, data retention is shaping up to be a case study in poor policy implementation.

Internet service providers have long argued that retaining that amount of data would be prohibitively complex. In fact, one of the most striking things about the whole debate has been the gap between how easily government has suggested implementing data retention would be and how ISPs have said it would be.

No surprise then that Fairfax is reporting that 80 per cent of ISPs are not actually going ‘live’ with data retention compliance today, but have applied for extensions of 18 months. There is widespread confusion about how much data is to be retained, and no transparency on how the ISPs will be compensated for storing masses of information on their customers’ activity.

Implementation was going to always be a problem with data retention. But it is hard not to conclude that the implementation problems ISPs are now experiencing are the direct result of the government’s lack of conceptual and technical clarity about how data retention relates to current ISP practices.


The ATO is a national security organisation?


Remember when Chris Berg argued mandatory data retention was not about national security?

The IPA has been warning for years that some of the most virulent supporters of data retention aren’t security and law enforcement agencies, but economic regulators. (As we said in this press release from September 2012…) But if the scope of data retention wasn’t clear before, it ought to be now. This is not a targeted national security measure, and it appears the government has no intention of ensuring that it is one.

As reported in The Australian, the Parliamentary Joint Committee on Law Enforcement has recommended that the tax office be made a “criminal law enforcement agency”, meaning:

The Australian Taxation Office would have tough new powers to access intercepted telecommunications information under a proposal to help better track down major tax fraud that threatens public finances.

As the government wrestles with restoring the budget, a powerful parliamentary joint committee yesterday said it was persuaded the ATO should be able to access stored phone calls, emails and SMS to protect the public purse from “serious criminal activities”.

The committee pointed to ­Australia’s largest tax-evasion ­investigation, Project Wickenby, to argue the ATO should have some of the same powers as police, corruption commissions and the Australian Crime Commission under the Telecommunications (Interception and Access) Act.

The proposal, if adopted, would effectively see the controversial data-retention scheme ­expanded to include the ATO.

Of course, this is true to form. FreedomWatch was concerned when, more than three years ago, the ATO argued – to a parliamentary committee on intelligence and security which was examining the relationship between technology and counter-terrorism – it needed ‘tough new powers to access phone taps, text messages and other communications’ to combat tax fraud.

The parallels between then and now are eerie.


Sinclair Davidson highlighted another problem with this over at Catallaxy Files:

As I keep saying to people: You have no effective right of privacy against the government. When it comes to things such as the income tax, this is a feature of the system not a bug.

Know too that the Australian government is a strong advocate for tax information sharing – that means that any government in the G20 could be able to hear your phone conversations if it could be construed to relate to taxation. So you shouldn’t be saying anything on the phone that you wouldn’t want the Russian Mafia, or any other criminal organisation (not including government – they know already), to know.


‘Conservative’ MP calls for anti-terror laws to enforce social values


Conservative MP Mark Spencer

We have often pointed out that what is introduced as “anti-terror” policy is regularly used for economic regulation. The Australian government’s mandatory data retention scheme, for instance, was always intended to empower economic regulators as much as it was security agencies.

In the United Kingdom, one Conservative Party MP would like anti-terror laws to spill all the way over to managing social philosophy:

New banning orders intended to clamp down on hate preachers and terrorist propagandists should be used against Christian teachers who teach children that gay marriage is “wrong”, a Tory MP has argued.

Mark Spencer called for those who use their position in the classroom to teach traditionalist views on marriage to be subject to “Extremism Disruption Orders” (EDOs), tough new restrictions planned by David Cameron and Theresa May to curb radicalisation by jihadists.

National security is a fundamental responsibility of government, and few could deny the importance of anti-terror measures. However, such laws are too often used by politicians and regulators who have a very different idea of the appropriate limits of government action than those who introduced the laws in the first place.


Better late than never?

Months after it gave the government its support, the ALP has agreed to review it’s position on mandatory data retention legislation. As The Age reported from the party’s national conference:

However a growing list of non-criminal government agencies is authorised to access ordinary citizens’ metadata without obtaining a warrant, including local councils, Australia Post, the RSPCA, racing bodies and more.

“Labor wants to ensure that the types of agencies with access to the data and purposes for which the data is available are appropriate,” the amendment reads.

“We want to ensure that the current warrants scheme and the threshold conditions on warrantless access are appropriate and that freedom of the press is protected.”

That access to retained telecommunications data is not restricted to security agencies is no surprise as the IPA’s Chris Berg made very clear on FreedomWatch before the passage of the bill.


Powered by WordPress. Designed by Woo Themes