Going Against The Grain On Data Retention

George Brandis claimed last month that data retention was “the way Western nations are going”, but the opposite is true. Australia would be going against the grain, writes Chris Berg.

It would have been good if, at their press conference last Friday, the Australian Security Intelligence Organisation and the Australian Federal Police had been joined by all the other government bureaucracies that passionately support mandatory internet data retention.

Because data retention is not about national security. It’s about collecting data on every Australian for every law enforcement and regulatory compliance agency to use. And for everything from serious crimes to trivial infractions.

So David Irvine of ASIO and Andrew Colvin of the AFP could have been joined by Chris Jordan of the Australian Taxation Office, Rod Sims of the Australian Competition and Consumer Commission, and Greg Medcraft of the Australian Securities and Investment Commission. All have been pushing for data retention in committee hearings and inquiries.

And then, for completeness, we could have had a few of the dozens of state and federal agencies who currently enjoy authorised access to private communications data under the existing Telecommunications (Interception and Access) Act.

Squeeze on stage the Western Australian Department of Fisheries, Racing Queensland, New South Wales Health Care Complaints Commission, RSPCA South Australia, and Wyndham City Council. They would all be beneficiaries of mandatory data retention.

In other words, data retention is hardly a targeted anti-terrorism measure.

There were, in fact, two separate data retention proposals last week.

The first was announced by Tony Abbott and George Brandis on Tuesday. We’ve all seen the muddled interviews but the broad strokes of the policy itself were relatively clear. The Government was planning to force internet service providers to record both the internet protocol (IP) addresses of their customers and the IP addresses of the websites that those consumers visited.

This is sometimes known as “session logging”, or more popularly as “browsing history”.

Abbott and Brandis clearly left the National Security Committee last Monday night, and Cabinet on Tuesday, thinking session logging was what had been agreed to – it was the “in-principle decision”.

Then something changed. A second proposal was announced by Malcolm Turnbull, and confirmed at the ASIO and AFP conference on Friday. In this, the only data that is to be kept is IP addresses matched to customer details. Not a record of all the sites the customers visit.

With the data provided by the Abbott-Brandis session logging policy, it would be possible to map out a person’s entire world. No ISP keeps such a record of its customers’ online lives. Why would it? Anyway, doing so would be in breach of Australian Privacy Principles, which state that no more information ought to be kept than is necessary for business purposes.

The Turnbull policy is still useful for law enforcement, but much, much narrower. It’s only a small step away from billing information. And a few ISPs do keep this data. Storing it consistently might be expensive – very expensive for some ISPs – but it’s hardly the giant threat to privacy and liberty that the Abbott and Brandis policy constitutes.

Most importantly, it is not the mandatory data retention policy proposal that has been on the table for years – large-scale session logging – the policy that Malcolm Turnbull described in 2012 as “the latest effort by the Gillard government to restrain freedom of speech”.

Thank goodness.

As Bernard Keane has found, the Attorney-General’s Department has been pushing for the full version of data retention since at least 2008.

The intellectual genesis of this policy goes back 2006, when the European Union passed the Data Retention Directive. (Australians rarely come up with these ideas themselves.)

The directive instructed all EU member states to retain large quantities of communications data – both source and destination – for the investigation of “serious crime”. You can read it here. Article 5 outlines how just how large those quantities were to be.

European countries did as they were told.

Their experience shows that Tony Abbott was spot on when he said on Wednesday that data retention was designed to fight “general crime”, not just terrorism.

In a sample 12-month period, an Austrian review found that the most common law enforcement use of retained data was for cases of theft, followed by drugs, followed by stalking. Terrorism didn’t rate.

Internet traffic data retained by Poland’s scheme is being used “more and more” for civil disputes – even divorce cases.

The Danish Justice Ministry found only two cases where session logging has been useful in half a decade. Neither concerned terrorism. Denmark gave up data retention in June this year.

Germany’s Federal Crime Agency concluded that data retention had no statistically relevant effect on crime or crime clearance. Crime continued its long-term decline even after data retention was abandoned in Germany in 2010.

We could go on. Brandis claimed last month that data retention was “the way Western nations are going” but the opposite is true. Data retention is being wound back, repealed, and abandoned. In April this year the European Court of Justice found that the EU directive was unconstitutional.

Australia already has a powerful, robust mechanism to monitor suspects online: targeted data preservation notices on the telecommunications of suspects. This regime was updated just two years ago.

But that, perhaps, is beside the point. The last week has demonstrated that the debate over telecommunications surveillance is held in widespread ignorance – ignorance about our existing capabilities, the constantly evolving legal framework, and the architecture of the internet.

Not surprising, of course. This stuff is complicated. Technology policy is hard enough. Add onto that our labyrinth telecommunications intercept laws.

But politicians ought to try to understand the laws their departments insist they introduce.

Abbott and Brandis seem to have thought that merely mentioning the word “terrorism” would be enough to ensure their policy an easy run.

Yet no matter how real the terrorist threat, the pre-emptive surveillance of every single Australian would be an extraordinary policy in every sense of the word – way outside the bounds of proportionality, and way outside the boundaries of legitimate government action in a free country.

Security Bill Widens Government Surveillance Powers

The National Security Amendment Bill (No.1) 2014, introduced into federal Parliament last month, is 128 pages long. The bill’s explanatory memorandum is larger again – 167 pages.

It’s an absolute behemoth – complex, labyrinth, and, to outsiders, entirely opaque. In that sense, the bill is a great metaphor for the massive national security apparatus that has developed since the September 11, 2001 terror attacks.

It’s also the first major piece of Australian national security law reform since Edward Snowden a year ago revealed America’s program of global and indiscriminate mass surveillance.

Timing matters. The Snowden revelations demonstrated that not everything done in our name is done in our interest – and too often it is done without any democratic scrutiny, let alone the approval of voters.

So what should voters make of the Abbott government’s new national security bill?

It seems the three most significant elements are a new power to allow spies to plant software on targeted computers, new penalties for intelligence whistleblowing, and a prohibition on anybody releasing any information about “special intelligence operations”.

But it isn’t clear what the practical implications of these powers are. Are there any boundaries on what constitutes a special intelligence operation? Could journalists be prosecuted for reporting on national security leaks? Getting details out of the government is like pulling fingernails.

National security is a unique area of public policy. It’s one of the most important functions of government. Yet citizens have very little idea of what the government does under the guise of protecting them.

So the debate over national security powers is always held under a veil of ignorance. Usually serious public policy discussion requires evidence. But when we’re talking about security those evidentiary standards go out the window. The best we get is hand-waving about terrorism and, now, Australian residents fighting in Syria. We’re told to take the government on trust.

Given that a basic principle of democracy is that governments must justify themselves to the citizenry, this is a problem. Terrorism is a real threat. But it is not a blank cheque for legislative change.

The democratic accountability problem is enhanced even further by the fact that – as the Edward Snowden leaks have demonstrated – Western governments have repeatedly lied about their national security actions and have kept hidden evidence of their own wrongdoing.

In his recent book, Secrets and Leaks: the Dilemma of State Secrecy, Princeton academic Rahul Sagar argues there are no easy ways to impose democratic accountability on the national security state.

Blind trust isn’t an option. Democracies cannot rely on blind trust. Unfortunately radical openness isn’t an option either. We don’t want the bad guys to know everything about ongoing enforcement operations.

Institutional accountability mechanisms – like parliamentary committees and independent watchdogs – are good, but they tend to be captured by the agencies they are overseeing.

Sagars conclusion is that the best we can hope is that whistleblowers expose wrongdoings.

When America’s mass surveillance program was first revealed by Snowden last year, the Obama administration instinctively responded the program was necessary to prevent terrorism.

Yet in December, 2013 the administration’s own advisory panel concluded that bulk mass surveillance “was not essential to preventing attacks” and traditional, targeted surveillance methods was sufficient. This panel was no naive civil libertarian whitewash. One member was even a former CIA deputy director.

A study by the New America Foundation – a bipartisan thinktank partly funded by the US government – concluded mass surveillance “has had no discernible impact on preventing acts of terrorism”.

Australia is one of the members of America’s Five Eyes surveillance coalition, alongside Canada, the United Kingdom and New Zealand. Unfortunately our governments have been no more honest than American administrations about the need for new security powers.

For instance, the government claims its national security bill is mostly just a long-overdue update of 1970s-era telecommunications interception law. But this argument would be more plausible if the Telecommunications (Interception and Access) Act 1979 had not been updated more than 50 separate times in the past two decades.

The bill is apparently the first of a series. Attorney-General George Brandis said last week a second tranche of reform will make it easier to prosecute Australians fighting overseas, and make it illegal to “promote” terrorism. OK. But it’s already illegal to “incite” terrorism. Is that not enough? Will the government explain, specifically, why changes are needed? Don’t hold your breath.

A third tranche is likely to introduce mandatory data retention. That policy would require internet service providers to record almost everything every Australian does on the internet, just in case law enforcement agencies – from anti-terror spies to competition regulators – decide, in the future, to have a look. Mandatory data retention is both expensive and repressive.

There will probably be a fourth tranche. Tony Abbott wants to be a tough-on-terror prime minister.

The Snowden revelations should teach us one thing. Now, more than ever, the burden of proof rests on those who say we must trade off our liberty and privacy for security. That burden has not been met.

No Vote Of Confidence In ID Laws

Policy change happens when events meet ideas.

And so it is with voter ID laws – the idea that we ought to be required to show formal identification when we vote on election day.

Currently our electoral system is based on trust. Voting simply requires a voter to state their name and have it crossed off a list.

It’s incredibly insecure. Charmingly so. Alongside the sausage sizzle, the old-fashioned electoral procedure is no small part of what creates the romanticism of Australian democracy.

On Thursday, during Senate estimates, the Australian Electoral Commission said it was referring 8000 cases of multiple voting in 2013 to the Australian Federal Police. (Voting more than once, in case you didn’t know, is illegal.)

This is a lot. After the 2010 election, only 19 cases were referred to the AFP.

After the loss of 1400 ballots in Western Australia, the reputation of the AEC – and, by implication, the integrity of the electoral system itself – is understandably shaky. There is a strong political desire to do something about the AEC. Something. Anything.

Hence the political push for voter ID laws, which are supposed to prevent multiple voting. Last month, Queensland introduced its own voter identification laws as part of its electoral reform package.

But voter ID is a non-solution to a non-problem.

Let’s start with the non-problem.

Clive Palmer reckons Australians can “vote 10, 20, 30 times if you like”. A voter could visit more than one poll booth and vote under their own name multiple times. Or they could vote multiple times by impersonating other voters, at the same or different booths.

In each case, they would be abusing the trust system. (A person could also potentially enrol multiple times. But enrolment fraud is much harder to pull off.)

Yet just because a law is occasionally broken doesn’t mean it is an urgent problem.

We know when multiple voting happens because once the election is over, the AEC compares the booths’ lists to see if some names are crossed out more than once.

The large number of multiple voters referred to the AFP this year reflects the fact that the AEC is taking the phenomenon more seriously – for political reasons – not that multiple voting is getting more common.

Sure, 8000 cases sounds like a big number. But 10,000 further multiple votes are recorded simply because of human error by booth workers.

In other words, we’re talking well within the election’s margin of error here.

The vast majority of multiple voting instances – usually above 80 per cent – are attributed to confused elderly voters, who often speak English as a second language or not at all. (This 2009 AEC paper details the findings up until the 2007 election. From the evidence given by the AEC to estimates last week that proportion is unlikely to have changed.) Only a tiny fraction of multiple voters have admitted that they were “trying out the system”. Maybe a few hundred in 2013, spread across 14 million electors.

Others say they were drunk. Okay.

One reason the AFP prosecutes so few multiple voters is because there are so few of them. Another reason is that the problem is just not consequential enough to spend scarce resources on.

It is certainly possible to imagine a scenario where multiple voting could strategically alter election results; to swing tight races and thus steal power. That seems to be the underlying concern about multiple voting.

But the concern is misplaced. In a detailed study for the New South Wales Parliament earlier this year, the University of Sydney’s Rodney Smith concluded that “stealing elections is hard … large-scale multiple voting is highly unlikely to emerge as a problem”. Our trust system might facilitate multiple voting, but such behaviour is easy to detect after the fact. Questionable election results can be disputed.

As Smith pointed out, there is no evidence to suggest that multiple voting is directed towards marginal seats, which is what we’d see if one party was trying to game the electoral system.

But Parliament is about finding solutions to problems, not figuring out whether those problems exist.

So, with the AEC’s reputation at a low ebb, there is a push for a voter ID requirement to eliminate multiple voting. The push is coming mostly from the Coalition.

Voter ID would tackle only one of the ways to multiple vote – the impersonation of other voters. It wouldn’t do anything to stop people visiting different booths under their own name. (Unless of course the lists were somehow digitally tied together and updated in real time. This would be incredibly complex, and it’s not on the table.)

Not every change to an electoral system is necessarily self-interested and anti-democratic. But that’s not a bad rule of thumb.

In the United States, voter ID requirements are used to suppress the vote of traditional Democrat constituencies: the young, poor, and minorities. Those groups are less likely to have and carry appropriate identification.

But voting is voluntary in the US. Australia’s compulsory system means voter ID would create a different dynamic. Those voters who find producing identity documents too troublesome and fail to vote will be fined for not doing so. This punishment to vote may (partly) counterbalance the disincentive of having to show identification.

The Queensland reforms allow voters to show a reasonably broad range of identity documents – not just photo ID. If none are on hand, voters would be able to sign declarations of their identity.

But you can imagine how such new rules will gum up the works on election day. Confused voters sorting through identity papers. Booth workers trying to guide non-English speaking elderly through declaration statements.

What an enormous amount of hassle and complexity to fix a non-problem. Voter ID is yet another bureaucratisation of our little democracy.

Opening statement to Commonwealth Legal and Constitutional Affairs References Committee inquiry into Comprehensive revision of the Telecommunications (Interception and Access) Act 1979

With Simon Breheny

Thank you, first of all, to the committee chair, Senator Scott Ludlam, and the other members of the committee for inviting us to speak with you this morning. At the outset, let me make some general statements of principle. These principles should guide any reform to the Telecommunications (Interception and Access) Act 1979.

Interception and access of telecommunications data by government agencies is an intrusion into the human right to privacy. As individuals we have the right to control aspects of our lives that we wish to keep private. Government access to communications data should be strictly limited. The first limitation on access to communications data is the requirement that it must be targeted towards a person reasonably suspected of criminal wrongdoing. The second limitation is that interception of and access to communications data should only be allowed in accordance with a warrant issued by the courts. Warrants allow the interception and access to communications data in limited circumstances. They create a threshold for interception and access and ensure a level of accountability of the law enforcement agencies conducting criminal investigations by judicial oversight.

The proposal to introduce a mandatory data retention regime in Australia is a clear violation of these principles. Mandatory data retention would establish a systematic and ongoing mass surveillance regime on the internet activity of everyone in Australia. It is a very serious breach of privacy; it is easily circumvented and it is likely to suffer significant mission creep. As my colleague Chris Berg has argued, mandatory data retention will also have a chilling effect on free speech. The Australian privacy principles were updated and implemented just six months ago, yet mandatory data retention is a policy that would require the explicit rejection of these principles—namely, that businesses, including internet service providers, should only retain the information that is required for business purposes and should delete that data when it is no longer required for those same purposes.

We have seen in recent times some very significant breaches of privacy by government agencies. Most recently, the Australian Federal Police was responsible for a very serious breach of privacy when it revealed the identities of criminal suspects and other details about criminal investigations. Such inadvertent disclosures are unavoidable, but government should be seeking to reduce the possibility of these disclosures where possible. It is also worth noting that it has not been adequately shown that preservation orders are not adequate to achieve the aims of the law enforcement. Stored preservation orders are targeted, proportional data retention schemes that offer a flexible and privacy-protecting mechanism to law enforcement agencies. It is striking to us how rarely the existence of this mechanism is discussed in the data retention debate when it would seem to resolve all the problems with the TIA act that have been identified by law enforcement agencies.

The authorised access regime established under the TIA act allows for warrantless access to communications data stored by telecommunications companies. This is a clear breach of the principle that access to communications data should not occur unless a warrant has been issued by judicial authority. The TIA act annual report 2012-13 revealed that there were more than 300,000 access authorisations made in that year. Some of these authorisations were made by organisations like Australia Post, the Clean Energy Regulator, Harness Racing New South Wales and the Wyndham City Council. The authorised access regime should be abolished and should be replaced with a regime where communications data may only be accessed in accordance with the warrant issued for that purpose.

One of the problems we have identified in this debate concerns the word ‘metadata’ as opposed to ‘content data’. In our view the word ‘metadata’ describes nothing of analytical value; it is all just data. Indeed, as has often been pointed out in this debate, metadata is capable of revealing even more than what has been described as content data. We are happy to discuss the issue in detail if the committee wishes. Thank you.

US Surveillance Scandal Just The Tip Of The Iceberg

More than a decade after the September 11 attacks, the US is having a debate about its monstrous national security apparatus. Finally.

In that time, Congress has granted every wish of every security agency. The only condition was those wishes had to be connected, however vaguely, to the war on terror.

Last week, Americans learned the result. They now live in a vast surveillance state run by secretive intelligence bureaucracies and bloated private contractors.

We should care about this, too. Australia’s national security agencies are pushing our Parliament down the same path.

Here is what we know so far about the American scandal. For the past seven years, the US government has been secretly hoovering up records of millions of phone calls. It has been able to gain access to enormous amounts of data from companies such as Google, Facebook and Yahoo on their users. For its legal authority, it relies on the rubber stamp of a secret court.

Those companies targeted are forbidden from discussing what is going on. In March, Director of National Intelligence James Clapper explicitly denied to Congress that the program even existed.
As one Democrat who received a classified briefing this week said, the public has only seen the ”tip of the iceberg”.

Australia has not gotten quite that bad. But every policy change goes one way – towards more state power.

The Attorney-General’s Department wants Parliament to approve a suite of new security powers. This would include a massive data retention scheme, where records of all our internet usage would be kept by internet providers just in case we are later suspected of committing a crime.

The government is not transparent about what exactly these new powers would entail, or what they are supposed to solve. We have to piece together disparate pieces of information to figure out what our own government is doing.

For instance, we learned in February our foreign spy agency ASIS has been lobbying politicians for permission to collect intelligence on Australian citizens. But that is already the job of the domestic agency, ASIO. Why does ASIS want this power? It is not clear.

Earlier this year, we learned Australian bureaucracies are accessing phone and internet records nearly 1000 times a week without a warrant. Even the RSPCA can get access to these records. Yes, that RSPCA, the animal group.

And it is almost certain the American program has been been collecting data on Australians. Parts of the program give moderate privacy protections to American citizens but nothing to people ”reasonably believed to be outside the United States”. It is unclear how involved Australian agencies are. We know British agencies have been, but Canberra won’t disclose anything.

This madness has to stop. The national security state has grown too big. It is too unaccountable. It is fundamentally undemocratic.

When the Attorney-General’s office was questioned about its surveillance activities, a spokesman replied it was the “long-standing practice of successive Australian governments not to comment on national security and intelligence capabilities”.

Such blithe dismissals might have worked in the past. But after what we have seen in the US, there is no longer a reason to give government any benefit of the doubt.

Nobody denies that law enforcement must keep up with the times. Nobody denies terrorism is a real and ongoing concern. But the past decade has seen security agencies use these two facts as leverage for unprecedented funding and power – far out of proportion to the technological problems they are worried about.

Security agencies have an advantage in the political game. They are a black box – opaque and secretive. It is easy to convince politicians they would be endangering lives if Parliament did not grant some new power, or if checks and balances were not relaxed a little bit more.

The agencies are helped by national security apologists, who seem more worried about loyalty to the state than any democratic accountability.

The first reaction of the conservative columnist David Brooks to the US scandal was to surmise that the person who exposed it – 29-year-old security contractor Edward Snowden – was just the product of an overly individualistic society. OK, one of the biggest surveillance programs in history is revealed, and Brooks concludes the real issue is young people?

Columnists say the darndest things. But Brooks’ is not a lone voice. There is an active discussion in the US about Snowden’s motives, his girlfriend and whether he has committed “treason”.

Some perspective, please. Snowden’s character is irrelevant to the question of how powerful security agencies should be in a free country. Those who try to play down, dismiss or deflect this scandal are simply the willing tools of state power.

Just as despicable is the claim (heard occasionally from the left) that citizens have abandoned their right to privacy by handing personal information to companies. Talk about blaming the victim. We share stuff on Facebook, so it’s our fault the government is out of control?

The surveillance scandal is an important moment. Even the most gung-ho conservatives in the US are having second thoughts about the national security state.

Let’s hope that scepticism trickles down to Australia.

It’s About More Than Just Phone Hacking … Unfortunately

If you want to know what actually happened in the British phone hacking scandal, you won’t find it in the Leveson inquiry report released last Thursday.

The report comprises almost 2,000 pages; it’s spread across four volumes and has 59 separate chapters. It has a lot of stuff about media history and ethics and philosophy; a lot of hand-wringing about press “culture” and personal friendships between Fleet Street and Westminster.

But not a lot about who committed what crime and when.

For instance, the fact that Rebekah Brooks and Andy Coulson (both ex-News of the World editors) are in court this week facing charges of corrupt payments to public officials does not inform the report.

Nor the fact that at least three public officials have been arrested for misconduct in a public office – that is, corruption.

Lord Justice Leveson is recommending statutory regulation of the press before his inquiry has gotten to the bottom of the phone hacking scandal.

Even by the woolly standards of judge-led policy advocacy, this is pretty stark. Especially considering his proposals would be a reversal of the four-century-old victory of free press over state power.

The Leveson inquiry’s terms of reference are split in two. Part 1 looks at the “culture, practices, and ethics of the press”. Part 2 investigates the specific allegations of unlawful conduct and corrupt payments between press and police.

This is the real issue, as I argued in July last year. Criminal acts are a bad thing and should be punished. But criminal acts with the assistance of police are much, much more disconcerting. Thursday’s report is Part 1. Part 2 hasn’t even started yet.

Operation Elveden – the Metropolitan Police Department’s investigation into corruption in the police force – is ongoing. Leveson writes that he doesn’t want to step on its toes. Repeatedly throughout the report, witnesses suggest serious things. For instance, unnamed senior officers are “rumoured to be corrupt”, but the story ends there, “for fear of undermining what could be an ongoing investigation”.

Still, the first report reveals a litany of errors, misjudgements and bureaucratic backside-covering that allowed the scandal to build before it exploded in 2011.

Between 2001 and 2003, the Devon and Cornwall Police discovered a ring of retired and serving police officers selling information from police databases to private investigators. The investigators were then selling that information to various clients, some of whom were journalists.

Such privacy breaches are not unusual. Over the last decade, more than 200 Metropolitan police officers and civilian administrators have been disciplined for wrongfully accessing the Police National Database. The current commissioner described this to the Leveson inquiry as a “chronic problem”.

But when the Devon and Cornwall Police cases went to court, the judges let the accused go with conditional discharges. They didn’t even get fined.

When the story surfaced again in 2006 (this time the Royal family was claiming its private phone messages were being listened to) memory of the pathetic sentences given to the earlier cases meant the London police were reluctant to aggressively push their investigations. It just wasn’t worth the effort. That, and Britain was at the height of the anti-terrorism campaign. In the wake of the London bombings, chasing privacy prosecutions was less a priority than hunting violent Islamists.

Still, one reporter – News of the World’s “one rogue reporter” – was prosecuted. As part of its investigations, the police found a huge list of potential victims, but it failed to notify them.
Three years later, the Guardian and the New York Times published allegations of widespread phone hacking. This time, the police stonewalled. The issue had already been dealt with. To admit that there was more to the case was to admit that they were wrong to draw a line under the rogue reporter in 2006.

The Milly Dowler story erupted in July 2011. The police had been in possession of seized documents with her name – and Hugh Grant’s name – since the first investigations in 2003.

I’ve dwelled on this timeline because it is the closest the Leveson report gets to an exploration of the specific failures that led to the phone hacking scandal.

It’s all well and good to wax lyrical about ethics and press culture. But if we want to link problem to solution – a basic requirement in the development of good public policy – we have to know what actually caused the events we’re concerned about.

And too much of the Leveson report is divorced from the phone hacking itself. You can understand why David Cameron offered Leveson such a wide brief – he was embarrassed about his relationship to the now disgraced Andy Coulson. But the distance between scandal detail and regulatory proposals undermines the point of the whole inquiry.

To be fair, Leveson’s effort is far better than Australia’s Finkelstein inquiry. Here, Justice Ray Finkelstein wasn’t even given a scandal to work with – he had to construct a justification for press regulation out of thin air. Where Britain had the Milly Dowler case, Australia had the vibe of the thing.

So it is not insignificant that the Finkelstein and Leveson recommendations were so similar: statutory regulation of the press disguised as “self-regulation”. In the UK this is apparently the solution to widespread criminality. In Australia it is apparently a solution to … well, what exactly? The strongest case Finkelstein could come up with was that newspapers gave an unbalanced presentation of climate science.

But there’s a vocal group of people who want a new regulator backed by government, so that’s what gets recommended. Is there anybody who didn’t think Leveson or Finkelstein would call for new regulation? The only suspense has been for the details.

Last week David Cameron rejected those details – he would not cross the Rubicon into press regulation. Hopefully, Julia Gillard and Stephen Conroy will do the same.

Privacy To Be Sacrificed As Roxon Takes Liberties With Our Freedoms

Last week Attorney-General Nicola Roxon argued for one of the most significant attacks on civil liberty in Australian history – internet data retention.

There aren’t many details yet. From what we can tell, the government wants to force all internet service providers to record details about every email their customers send, every website they visit, and every communication they make.

The providers will have to store those records for up to two years, just in case the police or the Commonwealth spy agency ASIO want to look at them later.

This data retention scheme would be an institutionalised, systematic invasion of our privacy – at least as bad as the Hawke government’s proposed Australia Card was in the 1980s. And it is certainly scarier than any of John Howard’s post-September 11 security laws.

Admittedly, data retention is not an original Australian idea. Similar policies have been implemented across Europe. But their record is not flattering. Germany’s parliamentary research unit surveyed European crime statistics between 2005 and 2010 and could not find any evidence to suggest data retention was helping solve crimes. And several European countries have even found data retention unconstitutional. In 2009 the Constitutional Court of Romania found that “continuous limitation of the privacy right … makes the essence of the right disappear”. In other words, data retention is so pervasive that it eliminates privacy. You can understand why Romanians would be sensitive. They suffered under communist police state surveillance for nearly half a century.

The idea behind data retention is to try to replicate for the internet what police have enjoyed with telephone calls for decades – access to records of who we called and when. Yet there’s a big difference between phones and the internet. Telephone companies keep those records in order to bill us. So phone records already exist. Internet data retention would require companies to create a giant new database of what their customers were doing online.

This database would be many times larger and much more revealing. Most Australians make a couple of calls a day. But we send and receive dozens of emails. We visit hundreds of websites. In 2012 we do everything from banking, to researching health concerns online. The internet is nothing like a telephone.

On top of this, the government wants internet providers to take responsibility for keeping these vast new information archives secure. But there are hundreds of internet companies in Australia. Many of them are tiny. Few of them are security specialists.

The Attorney-General argued on Tuesday last week that the police needed all this new surveillance to tackle identity theft. This is clever: we need to destroy privacy in order to save it. But it is nonsense.

These new databases would be attractive targets for those very identity thieves. Criminals could just crack the security of a small internet provider. We’ve seen in the past few years how insecure corporate data can be. Even big firms struggle with security.

Making their case, Roxon and her A-G’s Department say they need to “modernise” their powers to deal with cybercrime. Yet the urgent need to modernise this law would be more convincing if it wasn’t for the fact that the 1979 Telecommunications Interception Act has been “modernised” 64 separate times since then. It has been changed on average twice a year for three decades. Indeed, the last modernisation was as recently as August.

Roxon is talking about more surveillance powers literally a fortnight after she has been granted new ones. Our Attorney-General must know this. So when will enough be enough?

Anyway, the August reform gave law enforcement agencies exactly what Roxon claims they need: the flexibility to investigate crime online. Now if police identify a suspect, they can order internet companies to log the data of specific individuals. Such targeted data preservation is reasonable. It’s like traditional phone tapping. Police get investigative powers, but don’t treat every Australian as a criminal.

Internet data retention isn’t the only new weapon the government wants. A parliamentary committee is currently considering a government discussion paper with dozens of complex proposals to extend security power over the internet. The discussion paper makes some stunning claims. Apparently, some limits on ASIO and the police merely “reflect historical concerns about corruption and the misuse of covert powers”.

Are those concerns really out of date? Politicians like to talk about balancing the need for security and the need for liberty, as if they are shouldering a heavy philosophical burden. Yet it seems new laws only ever satisfy the former. Liberty loses, inevitably, every time.

Opening statement to Parliamentary Joint Committee on Intelligence and Security Potential reforms of national security legislation

With Simon Breheny

The suite of policies proposed in the Attorney-General’s discussion paper add up to one of the most significant attacks on civil liberties in Australian history. Many of the proposals breach the rule of law, severely curb civil liberties and threaten freedom of speech. Our submission focused on the data retention proposal. We were disturbed to see the Attorney-General support this proposal yesterday. In our view, the data retention proposal is a much greater threat to privacy than even the proposed Australia Card was in the 1980s. The complexity of these discussion papers’ proposals is significant. Many of them interact with multiple pieces of legislation. Few have been elaborated or justified. They should be dealt with separately, with separate legislation and separate inquiries. The burden of proof rests on the government to prove to the public that after 10 years of continuous, unrelenting increases in national security power—the last major change was as recently as August this year—there is still a clear need for such extraordinary changes. Almost every single proposal in the discussion paper has serious problems. For instance, the proposal to establish an offence for failure to assist in the decryption of communications is a clear abrogation of the government’s responsibility to uphold the privilege against self-incrimination and the right to silence—vital features of our criminal justice system. We call on this committee to reject this proposal.

We also oppose the default extended period for warrants from 90 days to six months, the lowering of thresholds for obtaining warrants, the power of the Attorney-General to unilaterally vary warrants and the power of ASIO to move, alter or delete data. But the most extraordinary proposal we would like to talk about is that of data retention. This draconian proposal for mandated and indiscriminate retention of the online data of all Australians is completely lacking in proportionality, undermines basic freedoms and is in fundamental conflict with the right to privacy. Extraordinary claims require extraordinary evidence, yet no evidence has been presented to justify one of the world’s most onerous data retention regimes. Abstract references to emerging threats and cybercrime are patronisingly insufficient as justification for such an extreme example of state power.

The collection and storage of data by internet service providers also creates a considerable data security problem. Rather than dispersing information, data retention creates silos of information begging to be attacked by the very criminals this proposal seeks to limit. Many European nations have had data retention regimes in place for a number of years. A study conducted over a five-year period, from 2005 to 2010, found no statistically significant increase in crime clearance rates in countries that had adopted data retention. ‘Australians should not allow themselves to be bullied into accepting a proposal which has ominous implications and particularly a grave temptation for abuse by the government.’ That was said by the IPA in 1986 in relation to the proposed Australia card, and the same holds true for the proposals being considered here today.

Submission to Parliamentary Joint Committee on Intelligence and Security on ‘Equipping Australia against Emerging and Evolving Threats’

With Simon Breheny

Introduction: The Institute of Public Affairs believes many of the national security proposals contained in the Attorney-General’s Department’s Equipping Australia against Emerging and Evolving Threats Discussion Paper are unnecessary and excessive. Many of the proposals:

  • Curb civil liberties;
  • Systematically breach Australians’ right to privacy, and;
  • Breach basic rule of law principles.

The Discussion Paper offers at least 45 distinct proposals. This submission does not attempt to address each one. Instead, we focus on one particular proposal that the government is seeking views upon: the data retention policy that would require internet service providers to retain data on all users for up to two years.

The data retention proposal, along with a number of other proposals listed in the Discussion Paper,would be a significant increase in the power of security agencies and the Attorney-General’s Department.

Available in PDF here.

Be Sceptical Of Vague New ‘National Security’ Powers

Any proposal by the government to increase its own power should be treated with scepticism.

Double that scepticism when the government is vague about why it needs that extra power. Double again when those powers are in the area of law and order. And double again every time the words “national security” are used.

So scepticism – aggressive, hostile scepticism, bordering on kneejerk reaction – should be our default position when evaluating the long list of new security powers the Federal Government would like to deal with “emerging and evolving threats”.

The Attorney-General’s Department released a discussion paper last week detailing security reform it wants Parliament to consider.

The major proposal – although explored little in the department’s paper – is the Gillard Government’s proposed data retention laws. These laws would require all internet service providers to store data about their users’ online activity for two years. They have been on the table for some time.

But there are many other proposals. The department wants the power to unilaterally change telecommunications intercept warrants. It wants the threshold for those warrants to be significantly lowered. It wants the ability for security agencies to force us to hand over information like passwords to be expanded. There’s much more.

These reforms add up to a radical revamping of security power. They raise troubling questions about our right to privacy, our freedom of speech, and the overreach of regulatory agencies. And they suggest one of the most substantial attacks on civil liberties since John Howard’s post-September 11 anti-terror law reform.

Public policy is like comedy – timing is everything. The lack of timing here is revealing.

These proposals come nearly a decade after the first flurry of anti-terror activity, and long after most analysts have concluded that the serious threat of terrorism – keenly and rashly felt at the turn of the century – has subsided.

The government claims that a new environment of cybercrime and cyber-espionage necessitate wholesale reform of the law. These claims are massively overstated. Cybercrime exists more in the advertising of security companies than it does in reality, as I argued in the Sunday Age earlier this year.

Cyber-espionage too is worse in theory than reality. In their recent paper Loving the Cyber Bomb?, two American scholars, Jerry Brito and Tate Watkins, point out that these claims have all the hallmarks of threat inflation driven by self-interested security agencies.

As they write in the American context, “The rhetoric of ‘cyber doom’ employed by proponents of increased federal intervention, however, lacks clear evidence of a serious threat that can be verified by the public.”

Certainly, our Attorney-General’s Department offers no such clear evidence. Perhaps there is evidence. But most of the Government’s case is presented as innuendo and hypotheticals.

Brito and Watkins suggest this hyperbole has a parallel with the sort of threat inflation that led up to the Iraq War. The conclusion – more power – leads directly from the premise – an evolving threat. But we’re a long way from the realm of evidence-based policy here.

Yet even if we took the government at its word about the dark and dangerous online environment, there would still be much to be concerned with.

Fairfax papers reported in April that ASIO now privately believes environmentalist groups are more dangerous than terrorists. This surely says more about the diminished status of terrorism than the rise of green activism. But it also underlines the often political nature of national security enforcement.

The line between lawful and unlawful political dissent is less clear at the margins than we like to admit. Enthusiastic agencies and thin-skinned governments can easily forget there is any difference at all. (During the Second World War, John Curtin’s Labor government even directed ASIO’s predecessor agency to investigate the Institute of Public Affairs – its ideological opponent, and an organisation that was urging the formation of a non-left political party.)

ASIO isn’t the only agency we have to worry about. There are at least 16 Commonwealth and state bodies approved to intercept telecommunications right now. Even the scandal-ridden Office of Police Integrity in Victoria would benefit from these new powers.

Ministers in the Gillard Government have jumped to defend the Attorney-General’s proposals. And the Coalition is “examining the issues carefully”.

Yet given the bipartisan submission to the previous government’s expansion of the security state, it would not pay to be too optimistic.

This is largely because governments are usually passive recipients of the phenomenon of threat inflation, not the drivers of it. Security agencies are easily able to convince politicians they need more support and power, and that any scepticism about pressing national security matters is reckless, even negligent.

The scepticism, unfortunately, has to be left to the public whose civil liberties are at stake.