Wednesday, August 13, 2014

Going against the grain on data retention

George Brandis claimed last month that data retention was "the way Western nations are going", but the opposite is true.  Australia would be going against the grain.

It would have been good if, at their press conference last Friday, the Australian Security Intelligence Organisation and the Australian Federal Police had been joined by all the other government bureaucracies that passionately support mandatory internet data retention.

Because data retention is not about national security.  It's about collecting data on every Australian for every law enforcement and regulatory compliance agency to use.  And for everything from serious crimes to trivial infractions.

So David Irvine of ASIO and Andrew Colvin of the AFP could have been joined by Chris Jordan of the Australian Taxation Office, Rod Sims of the Australian Competition and Consumer Commission, and Greg Medcraft of the Australian Securities and Investment Commission.  All have been pushing for data retention in committee hearings and inquiries.

And then, for completeness, we could have had a few of the dozens of state and federal agencies who currently enjoy authorised access to private communications data under the existing Telecommunications (Interception and Access) Act.

Squeeze on stage the Western Australian Department of Fisheries, Racing Queensland, New South Wales Health Care Complaints Commission, RSPCA South Australia, and Wyndham City Council.  They would all be beneficiaries of mandatory data retention.

In other words, data retention is hardly a targeted anti-terrorism measure.

There were, in fact, two separate data retention proposals last week.

The first was announced by Tony Abbott and George Brandis on Tuesday.  We've all seen the muddled interviews but the broad strokes of the policy itself were relatively clear.  The Government was planning to force internet service providers to record both the internet protocol (IP) addresses of their customers and the IP addresses of the websites that those consumers visited.

This is sometimes known as "session logging", or more popularly as "browsing history".

Abbott and Brandis clearly left the National Security Committee last Monday night, and Cabinet on Tuesday, thinking session logging was what had been agreed to — it was the "in-principle decision".

Then something changed.  A second proposal was announced by Malcolm Turnbull, and confirmed at the ASIO and AFP conference on Friday.  In this, the only data that is to be kept is IP addresses matched to customer details.  Not a record of all the sites the customers visit.

With the data provided by the Abbott-Brandis session logging policy, it would be possible to map out a person's entire world.  No ISP keeps such a record of its customers' online lives.  Why would it?  Anyway, doing so would be in breach of Australian Privacy Principles, which state that no more information ought to be kept than is necessary for business purposes.

The Turnbull policy is still useful for law enforcement, but much, much narrower.  It's only a small step away from billing information.  And a few ISPs do keep this data.  Storing it consistently might be expensive — very expensive for some ISPs — but it's hardly the giant threat to privacy and liberty that the Abbott and Brandis policy constitutes.

Most importantly, it is not the mandatory data retention policy proposal that has been on the table for years — large-scale session logging — the policy that Malcolm Turnbull described in 2012 as "the latest effort by the Gillard government to restrain freedom of speech".

Thank goodness.

As Bernard Keane has found, the Attorney-General's Department has been pushing for the full version of data retention since at least 2008.

The intellectual genesis of this policy goes back 2006, when the European Union passed the Data Retention Directive.  (Australians rarely come up with these ideas themselves.)

The directive instructed all EU member states to retain large quantities of communications data — both source and destination — for the investigation of "serious crime".  You can read it here.  Article 5 outlines how just how large those quantities were to be.

European countries did as they were told.

Their experience shows that Tony Abbott was spot on when he said on Wednesday that data retention was designed to fight "general crime", not just terrorism.

In a sample 12-month period, an Austrian review found that the most common law enforcement use of retained data was for cases of theft, followed by drugs, followed by stalking.  Terrorism didn't rate.

Internet traffic data retained by Poland's scheme is being used "more and more" for civil disputes — even divorce cases.

The Danish Justice Ministry found only two cases where session logging has been useful in half a decade.  Neither concerned terrorism.  Denmark gave up data retention in June this year.

Germany's Federal Crime Agency concluded that data retention had no statistically relevant effect on crime or crime clearance.  Crime continued its long-term decline even after data retention was abandoned in Germany in 2010.

We could go on.  Brandis claimed last month that data retention was "the way Western nations are going" but the opposite is true.  Data retention is being wound back, repealed, and abandoned.  In April this year the European Court of Justice found that the EU directive was unconstitutional.

Australia already has a powerful, robust mechanism to monitor suspects online:  targeted data preservation notices on the telecommunications of suspects.  This regime was updated just two years ago.

But that, perhaps, is beside the point.  The last week has demonstrated that the debate over telecommunications surveillance is held in widespread ignorance — ignorance about our existing capabilities, the constantly evolving legal framework, and the architecture of the internet.

Not surprising, of course.  This stuff is complicated.  Technology policy is hard enough.  Add onto that our labyrinth telecommunications intercept laws.

But politicians ought to try to understand the laws their departments insist they introduce.

Abbott and Brandis seem to have thought that merely mentioning the word "terrorism" would be enough to ensure their policy an easy run.

Yet no matter how real the terrorist threat, the pre-emptive surveillance of every single Australian would be an extraordinary policy in every sense of the word — way outside the bounds of proportionality, and way outside the boundaries of legitimate government action in a free country.

No comments: