For the last few years, Australia’s security agencies have been pushing for the mandatory retention of the communications data of every citizen. If implemented, this policy would require private companies to keep communications metadata of all customers for two years. Essentially, it treats every person as a criminal suspect. Yesterday, a parliamentary committee issued a report declining to recommend data retention and strongly criticizing the government for failing to adequately explain and justify its proposal. In the wake of the report, the governing Labor Party announced it will not pursue data retention before the next election. So data retention in Australia has been defeated, for now.
The most recent push began last July, when the Attorney General’s Department submitted a list of security proposals, including data retention, to the Joint Parliamentary Committee on Intelligence and Security. The scheme met with overwhelming public opposition—98.9% of public submissions rejected data retention. Civil rights groups and individuals explained that the scheme sacrifices the privacy of all citizens. Contrary to the government’s claims, collecting metadata is highly intrusive as it reveals the most intimate connections between persons. In addition, the scheme would create a huge trove of data vulnerable to hacking while imposing significant costs on private companies dragooned to act as the government’s spies.
The government failed to rebut these objections. In a ham-fisted attempt to avoid criticism, the Attorney General’s Department initially refused to provide concrete details about its data retention scheme. The committee strongly criticized this lack of transparency:
[T]he Committee was very disconcerted to find, once it commenced its Inquiry, that the Attorney-General’s Department had much more detailed information on the topic of data retention. Departmental work, including discussions with stakeholders, had been undertaken previously. Details of this work had to be drawn from witnesses representing the [department].
Journalist Bernard Keane tweeted that he’d “never seen a government-controlled committee give a kicking to a department” like this report did. In addition to slamming the department for hiding the ball, the committee acknowledged public concern about privacy:
[A] mandatory data retention regime raises fundamental privacy issues, and is arguably a significant extension of the power of the state over the citizen. No such regime should be enacted unless those privacy and civil liberties concerns are sufficiently addressed.
The committee punted on the ultimate issue. It wrote that there was “a diversity of views within the Committee” as to the merits of a data retention regime and said it was “ultimately a decision for Government.” With an election scheduled for later this year, the governing Labor Party announced that it is dropping the unpopular scheme.
Green Party Senator Scott Ludlam cautioned that, even with the defeat of this proposal, Australia’s security agencies might achieve the same result by other means. He warned that, in light of the recent NSA Spying news, agencies may bypass domestic due process through the “wholesale importing of content and non-content data from colleagues in the U.S.” We need greater oversight of the security establishment to ensure that international cooperative agreements are not enabling the evasion of domestic legal restrictions.
Senator Ludlam also predicted that, regardless of who wins the next election, the data retention plan will be back. Security agencies will not abandon their campaign to treat every person like a criminal suspect. Privacy advocates in Australia and around the world need to keep up the fight.
- Australian Data Retention Plan Swept Under The Rug…For Now [Updated] (gizmodo.com.au)
- Government backs down from data retention — for now (computerworld.co.nz)
Access to private data has increased by 20 per cent by Australia’s law enforcement and government agencies – and with no warrant. Australians are 26 times more prone to be placed under surveillance than people in other countries, local media report.
In such a way, state structures accessed private information over 300,000 times last year – or 5,800 times every week, figures from the federal Attorney General’s Department showcase.
The data includes phone and internet account information, the details of out and inbound calls, telephone and internet access location data, as well as everything related to the Internet Protocol (IP) addresses visited, the Sydney Morning Herald reports.
Australian media report that every government agency and organization use the gathered telecommunications data, and those include the Australian Crime Commission, the Australian Securities and Investments Commission, the Australian Tax Office, Medicare and Australia Post.
New South Wales (NSW) Police became the biggest users of the private data, with 103,824 access authorizations during the last year – a third of all information accessed by the security forces.
The news triggered massive public outrage, with Australian Greens Senator Scott Ludlam telling Sydney Morning Herald, ‘‘This is the personal data of hundreds of thousands, indeed millions of Australians, and it seems that just about anyone in government can get it.”
He said the move demonstrated the current data access regime was “out of control” and amounted to the framework for a “surveillance state”.
The reports come as the federal government proposes even wider surveillance powers, including a minimum two-year standard for telephone and web providers – a measure causing public controversy.
The president for the local NSW Council for Civil Liberties, Cameron Murphy, told the Australian Financial Review that, according to the statistics, recent proposals to step up police surveillance powers and keep internet and phone data for two years or more was little more than a “fishing expedition”.
“It’s stunning and completely outrageous that so much interception is going on,” Murphy said. “What seems to be happening now is this is being done as a matter of first course and not as a matter of last resort.”
The statistics gathered by the council demonstrate that Australians are 26 times more likely to be placed under surveillance than in comparable countries.
However, a spokesperson for Attorney-General Nicola Roxon indicated that “these new statistics show telephone interception and surveillance powers are playing an even greater role for police so they can successfully pursue kidnappers, murderers and organized criminals.”
Ludlam, on the other hand, detailed what the expansion should be accompanied by.
“It’s incumbent on the parliament’s national security inquiry to recommend some form of warrant authorization be introduced, and that there be a review and reduction of the government agencies that can access the personal communications data of millions of Australians,” he said.
- Spying ‘out of control’ (smh.com.au)
- Sharp rise in private data surveillance (theage.com.au)
- Access to private net, phone use up by 20% – without warrants (smh.com.au)
Australians are fending off threats to their right to privacy from all directions. First, there was Australian Attorney General Nicola Roxon’s push to expand government online surveillance powers, submitted to Parliament in a package of reforms sought in a National Security Inquiry.
Then, on Aug. 22, the Australian Senate approved the Cybercrime Legislation Amendment Bill 2011, granting authorities the power to require phone and Internet providers to store up to 180 days worth of personal communications data. The purpose is to aid in investigations by both foreign and domestic law enforcement agencies, making it especially controversial since it can result in granting foreign governments access to Australian citizens’ communications data. The legislation only allows for data retention in the cases of specifically targeted individuals.
The bill is based on the Council of Europe Convention on Cybercrime – which we’ve flagged in the past as one of the world’s worst Internet law treaties – and the passage of the bill opens the door for Australia to join the Convention.
At least we can welcome the news that one of the most controversial aspects of Roxon’s National Security Inquiry proposal, a vague mandatory data retention provision that would have required service providers to retain all users’ communications data for up to two full years, seems to have been placed on hold – for now, anyway.
Yet at the same time, the newly approved Cybercrime Legislation Amendment Bill 2011 is viewed by some in Australia as a kind of “data retention lite,” and a precursor to the mass, untargeted surveillance that the more extreme proposal may yet usher in. An outcome of the approval of this bill, after all, is that providers will now have to install systems enabling data retention for up to 180 days – and pay for it themselves.
Public Fights Back
Despite the steady march toward expanded online snooping powers for law enforcement in the name of “national security,” a hefty pile of submissions landed in Parliamentary chambers last week, reflecting strong public opposition to the proposed reforms. A total of 177 submissions, representing thousands of individuals and organizations, flowed in to the Joint Parliamentary Committee on Intelligence and Security even though the government allowed only a brief time frame for comment.
Below, we collected some reactions of various Australian stakeholders who drafted lengthy submissions to convey their serious concerns. Civil liberties advocates aren’t the only ones worried about where this is going. The Australian Mobile Telecommunications Association and Communications Alliance, a telecom industry group, also chimed in to express concerns about costly new requirements for telecoms that would come attached to these surveillance measures. Since data retention disproportionately burdens smaller ISPs affected by requiring expensive equipment upgrades, the measure has the potential to hamper innovation by discouraging new startups from entering the market.
Re: Making it a Crime to Refuse to Aid in Decryption
One of the worst ideas contained in the National Security Inquiry package is the creation of a new crime under the Telecommunications (Interception and Access) Act of 1979: Refusing to aid law enforcement in the decryption of communications. That interception law granted law enforcement agencies, such as the Australian Federal Police (AFP) and the Australian Crime Commission (ACC), the ability to legally intercept communications for the first time. Reactions to the proposal hinged on the threat it poses to Australians’ right to silence.
Senator Scott Ludlam, speaking on behalf of the Australian Green Party, had this to say:
While the integrity of Australianʹs right to silence has been damaged by the anti‐terrorism laws, with regard to other criminal offences it remains intact. This proposal further degrades the right to silence, presumably to pre‐trial investigations and undermines the privilege against self incrimination. … The Committee should oppose this proposal as a serious erosion of the legal and human rights of Australians.
Electronic Frontiers Australia, a digital civil liberties organization (which is not formally affiliated with EFF), pointed out a number of problems with this idea:
EFA is concerned about the possible creation of an offence for failing to assist in the decryption of communications for the following reasons:
- it undermines the right of individuals to not cooperate with an investigation
- it poses a threat to the independence of journalists and their sources, particularly in circumstances involving whistle-blowing activity related to cases of official corruption
- it could undermine the principles of doctor-patient and lawyer-client confidentiality and other trusted relationships
- there are foreseeable and entirely legitimate circumstances in which decryption of data is not possible, such as where a password has been forgotten and is unrecoverable.
EFA therefore believes that the Committee should reject this proposal.
Re: Extending the Regulatory Regime to “Ancillary Service Providers”
A discussion paper submitted as part of the National Security Inquiry proposal makes it clear that the Australian government is “considering the need for a new interception regime that better reflects the contemporary communications environment,” i.e. a total overhaul of existing legislation to allow law enforcement to pry into communications taking place over platforms like Facebook or Twitter. The discussion paper defines “ancillary service providers” as “Telecommunications industry participants who are not carriers or carriage service providers.” Ultimately, this suggests the government is angling to bring all forms of online communications into the reach of interception laws.
The Australian Privacy Foundation cited the privacy concerns inherent in this proposal.
Telecommunications legislation already goes much further than regulation in most other sectors in mandating a role for private sector businesses as agents of the state in surveillance and law enforcement (banking and finance is the other main area where this has happened). These proposals would see a further significant extension of this role. Online intermediaries in particular host our communications with our friends, relatives, co-workers etc. They host a vast amount of information, the volume and scope of which is growing exponentially as we move to the cloud, use social networks, etc. Using online intermediaries as an agent of the State dramatically impacts on the state’s surveillance capabilities. Even minor changes in what they are required to do on behalf of government agencies can have very broad implications for people’s privacy.
Ludlam, of the Australian Greens, also blasted the idea.
The Attorney Generalʹs paper does not explain how covering ʹancillary service providersʹ – the many and ever increasing forms of social media – in legislation will address ʹcurrent potential vulnerabilities in the interception regime that are capable of being manipulated by criminalsʹ. The Greens believe it is excessive to extend the reach of surveillance into the retention of all social media exchanges. Does this include all business exchanges on video conferencing platforms?
And EFA pointed out that this proposal could expose anyone to law enforcement scrutiny, not just people suspected of wrongdoing.
Central to many of the services that Australians deliberately sign-up for— e.g. Facebook, Twitter, Pinterest, Apple iCloud, etc.—is the concept of sharing across networks. In surveilling a target’s activities in such services, shared friends or media objects connect target and non-target individuals such that following one surveillance target inescapably involves collateral surveillance necessarily breaching the privacy of non-targets. …. Indeed, “cloud computing” itself underlies “social networking”. As such, the information flows pertaining to individuals cross and recross such services to the point where, again, separating surveillance of a particular target is almost inevitably going to encounter that of other individuals, but in this case in ways that cannot be anticipated and very deeply undermine Australians’ reasonable expectation of privacy.
- Roxon edges towards keeping online data for two years (smh.com.au)
- Roxon backs new online data powers (theage.com.au)
- Australian Government Moves to Expand Surveillance Powers (alethonews.wordpress.com)
- Australian customers could pay for govt spying (zdnet.com)