The Jig Is Up On Data Retention Plans

Last week was the second time the Government announced its mandatory data retention policy, and the second time it gave the game away while doing so.

Data retention keeps spinning out of the Government’s control.

First, in August, Tony Abbott admitted in a television interview that requiring internet service providers to retain data on their customers’ activity was not just about anti-terrorism and national security but could be used to fight “general crime”.

This time the mistake was made not by politicians but by the Australian Federal Police commissioner Andrew Colvin.

Asked whether data retention could be used to police copyright infringement, Colvin responded:

Absolutely, I mean any interface, any connection somebody has over the internet, we need to be able to identify the parties to that connection … So illegal downloads, piracy … cyber-crimes, cyber-security, all these matters and our ability to investigate them is absolutely pinned to our ability to retrieve and use metadata.

Over the next few days George Brandis, Malcolm Turnbull and Colvin tried to roll this back. Copyright is a civil wrong, not a criminal one, they said. Copyright holders are responsible for bringing legal action against pirates. The AFP isn’t interested in civil cases. (This is only partly true. Commercial scale copyright infringement is a criminal offence.)

But here’s why Colvin’s misstep matters.

Mandatory data retention would create massive new databases of internet users’ activity in every internet service provider across the country.

A lot of opponents of data retention have pointed out that this creates a very real risk of unauthorised access. It’s hard to keep data secure.

Yet just as concerning is authorised access. Once these databases have been created they will be one subpoena away from access in any and every private lawsuit.

Many people have some residual faith that police and security services are benevolent. After all, their mission is absolutely essential – to protect us. But do Australians have the same faith in movie studios? Their neighbours? Their employers?

After all, it’s been undeniable that data retention could help copyright infringement cases ever since the Government included “download volumes” in the list of data it wanted ISPs to retain.

But this is just getting started. Think about how useful mandatory data retention might be in other civil cases.

It would be easy to trace where somebody has been based on the source IP addresses of their mobile phone, as the phone moves from cell tower to cell tower, connecting and reconnecting to the network and internet every time.

In other words, under mandatory data retention ISPs will have to keep records of your movements for two years.

Imagine how this sort of information might be used, for instance, in a workplace relations lawsuit.

Likewise, online defamation cases will be strengthened by records that match IP address to account holder. Do you sometimes comment anonymously on blogs and news websites? Under data retention lawyers could track down who you are months after the fact.

We could go on.

Remember the Government wants this data stored solely for the purpose of future law enforcement investigations. It would be deleted otherwise. It has no business purpose.

Yet not everything about the policy the Government announced last week is terrible.

It was long assumed that data retention would be shoehorned into the existing telecommunications access regime – the regime that allows agencies and authorities from ASIO to the RSPCA to access your phone records without needing a warrant.

Instead, the Government has decided to change that regime.

The proposed bill limits warrantless access to the both the existing set of data, and any future data retained under the new policy, to “criminal law enforcement agencies”. Those agencies are the AFP, Customs, state police, and the state anti-corruption commissions. (You can see the list in the explanatory memorandum here, paragraph 197.)

The upshot is that the RSPCA will no longer have warrantless access to phone records. Nor will the Australian Competition and Consumer Commission, the Australian Securities and Investment Commission, or any of the dozens of bodies that have enjoyed such access for years.

They, like movie studios and your neighbours, would have to ask a judge for permission.

I’d guess there was a fair bit of jaw-dropping in bureaucracies across the country when Brandis and Turnbull announced that new rule.

Now, the legislation allows the Government to authorise more agencies at will, so the list could easily expand.

Still it is a striking admission that there has been too much access to too much data by too many bureaucrats for too long.

And that’s why the new limits on agency access to telecommunications data doesn’t compensate for the threat to civil liberties that is mandatory data retention. Fewer agencies, sure, but with access to a much more complete record of our lives.

One of the clichés of the internet era is that “information wants to be free”. But information doesn’t want anything, of course. People want information.

Data retention will create vast archives of data about what we have done and where we have been. People will definitely want that.

Surveillance and Privacy

In August 2014, the Australian government announced it intended to require internet service providers to retain “metadata” on every customer for two years for the use of law enforcement.

A first pass at this policy, offered by Prime Minister Tony Abbott and Attorney-General George Brandis, suggested the government wanted ISPs to collect the internet browsing history of all users. A second, evidently revised version of the policy was announced a few days later by the Communications Minister Malcolm Turnbull. The new version was much narrower.

Neither variation of the proposal is an Antipodean invention. In 2006 the European Union’s 2006 Data Retention Directive required EU member states to introduce similar sorts of mandatory data retention laws.

These proposals come on top of the revelations about the United States’ National Security Agency’s vast global surveillance apparatus.

Democratic countries are now faced with fundamental questions. Can the right to privacy survive the expansion of the surveillance state? Or more fundamentally, is privacy a value worth protecting?

There’s a claim you often hear in discussions about privacy: someone who has done nothing wrong has nothing to hide. In other words, privacy is only a concern for those who are avoiding the law.

To the extent it is a serious argument, this claim has some serious practical problems. First, it presumes that we can trust government agents to uphold their duties fairly. That is not a trust which has been especially earned. Second, it ignores the fact that the expanding reach of public law, the over-criminalisation of minor rule-breaking and the expanding scope of the regulatory state has bought more and more activity into the realm of the justice system. Finally, law enforcement agencies and regulators operate as much by discretion as they do by commandment. Not every law or regulation is just, or justly enforced. It is not always obvious when you are doing wrong.

But more significantly, privacy is necessary for more than just the evasion of legitimate or illegitimate government action.

There is no consensus on how privacy ought to be defined, what its central attributes are and how it ought to be balanced with other principles such as the right to freedom of speech. Privacy is a condition; and a highly subjective and context dependent one at that.

But we all require privacy to function and thrive. Let’s start with the mundane. Obviously we desire to keep personal details safe – credit card details, internet passwords – to protect ourselves against identity theft. On top of this, we seek to protect ourselves against the judgment or observation of others. We close the door to the bathroom. We act differently with intimates than we do with colleagues. We often protect our thoughts, the details of our relationships, our preferences, from prevailing social norms. We compartmentalise. How many people would be uncomfortable with a colleague flipping through their mobile phone – with the window into a life that such access would provide?

Public life is one in which we all play roles, heavily mediated by social norms, assessments or assumptions about the values of our peers. Private life is a respite from that mediated world – a place we can drop our masks, abandon the petty deceptions that are necessary for smooth social interaction.

This desire for privacy applies to communications as well. Eroding privacy undermines our liberty to speak our minds. Thus, government surveillance interferes with the free-ness of speech. The feeling – real or imagined – that we are being watched, or that our actions are being recorded, affects the way we express ourselves. One 1975 study examined how the knowledge of surveillance changed stated attitudes on moral and legal questions. The study concluded that “the threat or actuality of government surveillance may psychologically inhibit freedom of speech”.

The legal scholar Louis B Schwartz illustrated how entangled free speech and privacy are by describing the characteristics of communication in private: “Free conversation is often characterized by exaggeration, obscenity, agreeable falsehoods, and the expression of anti-social desires or views not intended to be taken seriously. The unedited quality of conversation is essential if it is to preserve its intimate, personal and informal character.”

The belief that a speaker might have to answer for, or justify, their speech, especially their speech to those with whom they have an intimate or close relationship, is a constraint on that speech. We all understand how easy it is for others to misinterpret our words, and how speech can be willingly misconstrued. As Cardinal Richelieu put it in his famous (and possibly apocryphal) words, “If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.”

What does this mean for the debate over surveillance? As the recent debate over mandatory data retention has shown, the law governing telecommunications interception is complex, and the technologies it applies to even more so. On top of these technical and legal complexities, the nature of the national security threat is unclear. National security is a highly opaque area of public policy.

That opacity means the surveillance state is hard to control by democratic means. In their book Privacy on the Line, Whitfield Diffie and Susan Eva Landau argued that the “very invisibility on which electronic surveillance depends for its effectiveness makes it evasive of oversight and readily adaptable to malign uses.” The Princeton academic Rahul Sagar has concluded that the challenge of democratic control is so great that we mostly have to rely on whistleblowers to learn what the surveillance state is doing in our name.

In April 2014 the European Court of Justice ruled that Europe’s Data Retention Directive was unconstitutional. In the court’s view, the directive “interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data” and did so in a manner that was disproportionate to its stated objective of fighting serious crime.

Mandatory data retention has been wound back in many of the states that implemented it, in part because of the civil liberties issues raised by the European Court of Justice, and in part because the policy has not been a particularly effective law enforcement tool.

For Australia, that record, and the importance of privacy to individual flourishing, ought to create a presumption against the expansion of the surveillance state.

Going Against The Grain On Data Retention

George Brandis claimed last month that data retention was “the way Western nations are going”, but the opposite is true. Australia would be going against the grain, writes Chris Berg.

It would have been good if, at their press conference last Friday, the Australian Security Intelligence Organisation and the Australian Federal Police had been joined by all the other government bureaucracies that passionately support mandatory internet data retention.

Because data retention is not about national security. It’s about collecting data on every Australian for every law enforcement and regulatory compliance agency to use. And for everything from serious crimes to trivial infractions.

So David Irvine of ASIO and Andrew Colvin of the AFP could have been joined by Chris Jordan of the Australian Taxation Office, Rod Sims of the Australian Competition and Consumer Commission, and Greg Medcraft of the Australian Securities and Investment Commission. All have been pushing for data retention in committee hearings and inquiries.

And then, for completeness, we could have had a few of the dozens of state and federal agencies who currently enjoy authorised access to private communications data under the existing Telecommunications (Interception and Access) Act.

Squeeze on stage the Western Australian Department of Fisheries, Racing Queensland, New South Wales Health Care Complaints Commission, RSPCA South Australia, and Wyndham City Council. They would all be beneficiaries of mandatory data retention.

In other words, data retention is hardly a targeted anti-terrorism measure.

There were, in fact, two separate data retention proposals last week.

The first was announced by Tony Abbott and George Brandis on Tuesday. We’ve all seen the muddled interviews but the broad strokes of the policy itself were relatively clear. The Government was planning to force internet service providers to record both the internet protocol (IP) addresses of their customers and the IP addresses of the websites that those consumers visited.

This is sometimes known as “session logging”, or more popularly as “browsing history”.

Abbott and Brandis clearly left the National Security Committee last Monday night, and Cabinet on Tuesday, thinking session logging was what had been agreed to – it was the “in-principle decision”.

Then something changed. A second proposal was announced by Malcolm Turnbull, and confirmed at the ASIO and AFP conference on Friday. In this, the only data that is to be kept is IP addresses matched to customer details. Not a record of all the sites the customers visit.

With the data provided by the Abbott-Brandis session logging policy, it would be possible to map out a person’s entire world. No ISP keeps such a record of its customers’ online lives. Why would it? Anyway, doing so would be in breach of Australian Privacy Principles, which state that no more information ought to be kept than is necessary for business purposes.

The Turnbull policy is still useful for law enforcement, but much, much narrower. It’s only a small step away from billing information. And a few ISPs do keep this data. Storing it consistently might be expensive – very expensive for some ISPs – but it’s hardly the giant threat to privacy and liberty that the Abbott and Brandis policy constitutes.

Most importantly, it is not the mandatory data retention policy proposal that has been on the table for years – large-scale session logging – the policy that Malcolm Turnbull described in 2012 as “the latest effort by the Gillard government to restrain freedom of speech”.

Thank goodness.

As Bernard Keane has found, the Attorney-General’s Department has been pushing for the full version of data retention since at least 2008.

The intellectual genesis of this policy goes back 2006, when the European Union passed the Data Retention Directive. (Australians rarely come up with these ideas themselves.)

The directive instructed all EU member states to retain large quantities of communications data – both source and destination – for the investigation of “serious crime”. You can read it here. Article 5 outlines how just how large those quantities were to be.

European countries did as they were told.

Their experience shows that Tony Abbott was spot on when he said on Wednesday that data retention was designed to fight “general crime”, not just terrorism.

In a sample 12-month period, an Austrian review found that the most common law enforcement use of retained data was for cases of theft, followed by drugs, followed by stalking. Terrorism didn’t rate.

Internet traffic data retained by Poland’s scheme is being used “more and more” for civil disputes – even divorce cases.

The Danish Justice Ministry found only two cases where session logging has been useful in half a decade. Neither concerned terrorism. Denmark gave up data retention in June this year.

Germany’s Federal Crime Agency concluded that data retention had no statistically relevant effect on crime or crime clearance. Crime continued its long-term decline even after data retention was abandoned in Germany in 2010.

We could go on. Brandis claimed last month that data retention was “the way Western nations are going” but the opposite is true. Data retention is being wound back, repealed, and abandoned. In April this year the European Court of Justice found that the EU directive was unconstitutional.

Australia already has a powerful, robust mechanism to monitor suspects online: targeted data preservation notices on the telecommunications of suspects. This regime was updated just two years ago.

But that, perhaps, is beside the point. The last week has demonstrated that the debate over telecommunications surveillance is held in widespread ignorance – ignorance about our existing capabilities, the constantly evolving legal framework, and the architecture of the internet.

Not surprising, of course. This stuff is complicated. Technology policy is hard enough. Add onto that our labyrinth telecommunications intercept laws.

But politicians ought to try to understand the laws their departments insist they introduce.

Abbott and Brandis seem to have thought that merely mentioning the word “terrorism” would be enough to ensure their policy an easy run.

Yet no matter how real the terrorist threat, the pre-emptive surveillance of every single Australian would be an extraordinary policy in every sense of the word – way outside the bounds of proportionality, and way outside the boundaries of legitimate government action in a free country.

Security Bill Widens Government Surveillance Powers

The National Security Amendment Bill (No.1) 2014, introduced into federal Parliament last month, is 128 pages long. The bill’s explanatory memorandum is larger again – 167 pages.

It’s an absolute behemoth – complex, labyrinth, and, to outsiders, entirely opaque. In that sense, the bill is a great metaphor for the massive national security apparatus that has developed since the September 11, 2001 terror attacks.

It’s also the first major piece of Australian national security law reform since Edward Snowden a year ago revealed America’s program of global and indiscriminate mass surveillance.

Timing matters. The Snowden revelations demonstrated that not everything done in our name is done in our interest – and too often it is done without any democratic scrutiny, let alone the approval of voters.

So what should voters make of the Abbott government’s new national security bill?

It seems the three most significant elements are a new power to allow spies to plant software on targeted computers, new penalties for intelligence whistleblowing, and a prohibition on anybody releasing any information about “special intelligence operations”.

But it isn’t clear what the practical implications of these powers are. Are there any boundaries on what constitutes a special intelligence operation? Could journalists be prosecuted for reporting on national security leaks? Getting details out of the government is like pulling fingernails.

National security is a unique area of public policy. It’s one of the most important functions of government. Yet citizens have very little idea of what the government does under the guise of protecting them.

So the debate over national security powers is always held under a veil of ignorance. Usually serious public policy discussion requires evidence. But when we’re talking about security those evidentiary standards go out the window. The best we get is hand-waving about terrorism and, now, Australian residents fighting in Syria. We’re told to take the government on trust.

Given that a basic principle of democracy is that governments must justify themselves to the citizenry, this is a problem. Terrorism is a real threat. But it is not a blank cheque for legislative change.

The democratic accountability problem is enhanced even further by the fact that – as the Edward Snowden leaks have demonstrated – Western governments have repeatedly lied about their national security actions and have kept hidden evidence of their own wrongdoing.

In his recent book, Secrets and Leaks: the Dilemma of State Secrecy, Princeton academic Rahul Sagar argues there are no easy ways to impose democratic accountability on the national security state.

Blind trust isn’t an option. Democracies cannot rely on blind trust. Unfortunately radical openness isn’t an option either. We don’t want the bad guys to know everything about ongoing enforcement operations.

Institutional accountability mechanisms – like parliamentary committees and independent watchdogs – are good, but they tend to be captured by the agencies they are overseeing.

Sagars conclusion is that the best we can hope is that whistleblowers expose wrongdoings.

When America’s mass surveillance program was first revealed by Snowden last year, the Obama administration instinctively responded the program was necessary to prevent terrorism.

Yet in December, 2013 the administration’s own advisory panel concluded that bulk mass surveillance “was not essential to preventing attacks” and traditional, targeted surveillance methods was sufficient. This panel was no naive civil libertarian whitewash. One member was even a former CIA deputy director.

A study by the New America Foundation – a bipartisan thinktank partly funded by the US government – concluded mass surveillance “has had no discernible impact on preventing acts of terrorism”.

Australia is one of the members of America’s Five Eyes surveillance coalition, alongside Canada, the United Kingdom and New Zealand. Unfortunately our governments have been no more honest than American administrations about the need for new security powers.

For instance, the government claims its national security bill is mostly just a long-overdue update of 1970s-era telecommunications interception law. But this argument would be more plausible if the Telecommunications (Interception and Access) Act 1979 had not been updated more than 50 separate times in the past two decades.

The bill is apparently the first of a series. Attorney-General George Brandis said last week a second tranche of reform will make it easier to prosecute Australians fighting overseas, and make it illegal to “promote” terrorism. OK. But it’s already illegal to “incite” terrorism. Is that not enough? Will the government explain, specifically, why changes are needed? Don’t hold your breath.

A third tranche is likely to introduce mandatory data retention. That policy would require internet service providers to record almost everything every Australian does on the internet, just in case law enforcement agencies – from anti-terror spies to competition regulators – decide, in the future, to have a look. Mandatory data retention is both expensive and repressive.

There will probably be a fourth tranche. Tony Abbott wants to be a tough-on-terror prime minister.

The Snowden revelations should teach us one thing. Now, more than ever, the burden of proof rests on those who say we must trade off our liberty and privacy for security. That burden has not been met.

No Vote Of Confidence In ID Laws

Policy change happens when events meet ideas.

And so it is with voter ID laws – the idea that we ought to be required to show formal identification when we vote on election day.

Currently our electoral system is based on trust. Voting simply requires a voter to state their name and have it crossed off a list.

It’s incredibly insecure. Charmingly so. Alongside the sausage sizzle, the old-fashioned electoral procedure is no small part of what creates the romanticism of Australian democracy.

On Thursday, during Senate estimates, the Australian Electoral Commission said it was referring 8000 cases of multiple voting in 2013 to the Australian Federal Police. (Voting more than once, in case you didn’t know, is illegal.)

This is a lot. After the 2010 election, only 19 cases were referred to the AFP.

After the loss of 1400 ballots in Western Australia, the reputation of the AEC – and, by implication, the integrity of the electoral system itself – is understandably shaky. There is a strong political desire to do something about the AEC. Something. Anything.

Hence the political push for voter ID laws, which are supposed to prevent multiple voting. Last month, Queensland introduced its own voter identification laws as part of its electoral reform package.

But voter ID is a non-solution to a non-problem.

Let’s start with the non-problem.

Clive Palmer reckons Australians can “vote 10, 20, 30 times if you like”. A voter could visit more than one poll booth and vote under their own name multiple times. Or they could vote multiple times by impersonating other voters, at the same or different booths.

In each case, they would be abusing the trust system. (A person could also potentially enrol multiple times. But enrolment fraud is much harder to pull off.)

Yet just because a law is occasionally broken doesn’t mean it is an urgent problem.

We know when multiple voting happens because once the election is over, the AEC compares the booths’ lists to see if some names are crossed out more than once.

The large number of multiple voters referred to the AFP this year reflects the fact that the AEC is taking the phenomenon more seriously – for political reasons – not that multiple voting is getting more common.

Sure, 8000 cases sounds like a big number. But 10,000 further multiple votes are recorded simply because of human error by booth workers.

In other words, we’re talking well within the election’s margin of error here.

The vast majority of multiple voting instances – usually above 80 per cent – are attributed to confused elderly voters, who often speak English as a second language or not at all. (This 2009 AEC paper details the findings up until the 2007 election. From the evidence given by the AEC to estimates last week that proportion is unlikely to have changed.) Only a tiny fraction of multiple voters have admitted that they were “trying out the system”. Maybe a few hundred in 2013, spread across 14 million electors.

Others say they were drunk. Okay.

One reason the AFP prosecutes so few multiple voters is because there are so few of them. Another reason is that the problem is just not consequential enough to spend scarce resources on.

It is certainly possible to imagine a scenario where multiple voting could strategically alter election results; to swing tight races and thus steal power. That seems to be the underlying concern about multiple voting.

But the concern is misplaced. In a detailed study for the New South Wales Parliament earlier this year, the University of Sydney’s Rodney Smith concluded that “stealing elections is hard … large-scale multiple voting is highly unlikely to emerge as a problem”. Our trust system might facilitate multiple voting, but such behaviour is easy to detect after the fact. Questionable election results can be disputed.

As Smith pointed out, there is no evidence to suggest that multiple voting is directed towards marginal seats, which is what we’d see if one party was trying to game the electoral system.

But Parliament is about finding solutions to problems, not figuring out whether those problems exist.

So, with the AEC’s reputation at a low ebb, there is a push for a voter ID requirement to eliminate multiple voting. The push is coming mostly from the Coalition.

Voter ID would tackle only one of the ways to multiple vote – the impersonation of other voters. It wouldn’t do anything to stop people visiting different booths under their own name. (Unless of course the lists were somehow digitally tied together and updated in real time. This would be incredibly complex, and it’s not on the table.)

Not every change to an electoral system is necessarily self-interested and anti-democratic. But that’s not a bad rule of thumb.

In the United States, voter ID requirements are used to suppress the vote of traditional Democrat constituencies: the young, poor, and minorities. Those groups are less likely to have and carry appropriate identification.

But voting is voluntary in the US. Australia’s compulsory system means voter ID would create a different dynamic. Those voters who find producing identity documents too troublesome and fail to vote will be fined for not doing so. This punishment to vote may (partly) counterbalance the disincentive of having to show identification.

The Queensland reforms allow voters to show a reasonably broad range of identity documents – not just photo ID. If none are on hand, voters would be able to sign declarations of their identity.

But you can imagine how such new rules will gum up the works on election day. Confused voters sorting through identity papers. Booth workers trying to guide non-English speaking elderly through declaration statements.

What an enormous amount of hassle and complexity to fix a non-problem. Voter ID is yet another bureaucratisation of our little democracy.

Opening statement to Commonwealth Legal and Constitutional Affairs References Committee inquiry into Comprehensive revision of the Telecommunications (Interception and Access) Act 1979

With Simon Breheny

Thank you, first of all, to the committee chair, Senator Scott Ludlam, and the other members of the committee for inviting us to speak with you this morning. At the outset, let me make some general statements of principle. These principles should guide any reform to the Telecommunications (Interception and Access) Act 1979.

Interception and access of telecommunications data by government agencies is an intrusion into the human right to privacy. As individuals we have the right to control aspects of our lives that we wish to keep private. Government access to communications data should be strictly limited. The first limitation on access to communications data is the requirement that it must be targeted towards a person reasonably suspected of criminal wrongdoing. The second limitation is that interception of and access to communications data should only be allowed in accordance with a warrant issued by the courts. Warrants allow the interception and access to communications data in limited circumstances. They create a threshold for interception and access and ensure a level of accountability of the law enforcement agencies conducting criminal investigations by judicial oversight.

The proposal to introduce a mandatory data retention regime in Australia is a clear violation of these principles. Mandatory data retention would establish a systematic and ongoing mass surveillance regime on the internet activity of everyone in Australia. It is a very serious breach of privacy; it is easily circumvented and it is likely to suffer significant mission creep. As my colleague Chris Berg has argued, mandatory data retention will also have a chilling effect on free speech. The Australian privacy principles were updated and implemented just six months ago, yet mandatory data retention is a policy that would require the explicit rejection of these principles—namely, that businesses, including internet service providers, should only retain the information that is required for business purposes and should delete that data when it is no longer required for those same purposes.

We have seen in recent times some very significant breaches of privacy by government agencies. Most recently, the Australian Federal Police was responsible for a very serious breach of privacy when it revealed the identities of criminal suspects and other details about criminal investigations. Such inadvertent disclosures are unavoidable, but government should be seeking to reduce the possibility of these disclosures where possible. It is also worth noting that it has not been adequately shown that preservation orders are not adequate to achieve the aims of the law enforcement. Stored preservation orders are targeted, proportional data retention schemes that offer a flexible and privacy-protecting mechanism to law enforcement agencies. It is striking to us how rarely the existence of this mechanism is discussed in the data retention debate when it would seem to resolve all the problems with the TIA act that have been identified by law enforcement agencies.

The authorised access regime established under the TIA act allows for warrantless access to communications data stored by telecommunications companies. This is a clear breach of the principle that access to communications data should not occur unless a warrant has been issued by judicial authority. The TIA act annual report 2012-13 revealed that there were more than 300,000 access authorisations made in that year. Some of these authorisations were made by organisations like Australia Post, the Clean Energy Regulator, Harness Racing New South Wales and the Wyndham City Council. The authorised access regime should be abolished and should be replaced with a regime where communications data may only be accessed in accordance with the warrant issued for that purpose.

One of the problems we have identified in this debate concerns the word ‘metadata’ as opposed to ‘content data’. In our view the word ‘metadata’ describes nothing of analytical value; it is all just data. Indeed, as has often been pointed out in this debate, metadata is capable of revealing even more than what has been described as content data. We are happy to discuss the issue in detail if the committee wishes. Thank you.

US Surveillance Scandal Just The Tip Of The Iceberg

More than a decade after the September 11 attacks, the US is having a debate about its monstrous national security apparatus. Finally.

In that time, Congress has granted every wish of every security agency. The only condition was those wishes had to be connected, however vaguely, to the war on terror.

Last week, Americans learned the result. They now live in a vast surveillance state run by secretive intelligence bureaucracies and bloated private contractors.

We should care about this, too. Australia’s national security agencies are pushing our Parliament down the same path.

Here is what we know so far about the American scandal. For the past seven years, the US government has been secretly hoovering up records of millions of phone calls. It has been able to gain access to enormous amounts of data from companies such as Google, Facebook and Yahoo on their users. For its legal authority, it relies on the rubber stamp of a secret court.

Those companies targeted are forbidden from discussing what is going on. In March, Director of National Intelligence James Clapper explicitly denied to Congress that the program even existed.
As one Democrat who received a classified briefing this week said, the public has only seen the ”tip of the iceberg”.

Australia has not gotten quite that bad. But every policy change goes one way – towards more state power.

The Attorney-General’s Department wants Parliament to approve a suite of new security powers. This would include a massive data retention scheme, where records of all our internet usage would be kept by internet providers just in case we are later suspected of committing a crime.

The government is not transparent about what exactly these new powers would entail, or what they are supposed to solve. We have to piece together disparate pieces of information to figure out what our own government is doing.

For instance, we learned in February our foreign spy agency ASIS has been lobbying politicians for permission to collect intelligence on Australian citizens. But that is already the job of the domestic agency, ASIO. Why does ASIS want this power? It is not clear.

Earlier this year, we learned Australian bureaucracies are accessing phone and internet records nearly 1000 times a week without a warrant. Even the RSPCA can get access to these records. Yes, that RSPCA, the animal group.

And it is almost certain the American program has been been collecting data on Australians. Parts of the program give moderate privacy protections to American citizens but nothing to people ”reasonably believed to be outside the United States”. It is unclear how involved Australian agencies are. We know British agencies have been, but Canberra won’t disclose anything.

This madness has to stop. The national security state has grown too big. It is too unaccountable. It is fundamentally undemocratic.

When the Attorney-General’s office was questioned about its surveillance activities, a spokesman replied it was the “long-standing practice of successive Australian governments not to comment on national security and intelligence capabilities”.

Such blithe dismissals might have worked in the past. But after what we have seen in the US, there is no longer a reason to give government any benefit of the doubt.

Nobody denies that law enforcement must keep up with the times. Nobody denies terrorism is a real and ongoing concern. But the past decade has seen security agencies use these two facts as leverage for unprecedented funding and power – far out of proportion to the technological problems they are worried about.

Security agencies have an advantage in the political game. They are a black box – opaque and secretive. It is easy to convince politicians they would be endangering lives if Parliament did not grant some new power, or if checks and balances were not relaxed a little bit more.

The agencies are helped by national security apologists, who seem more worried about loyalty to the state than any democratic accountability.

The first reaction of the conservative columnist David Brooks to the US scandal was to surmise that the person who exposed it – 29-year-old security contractor Edward Snowden – was just the product of an overly individualistic society. OK, one of the biggest surveillance programs in history is revealed, and Brooks concludes the real issue is young people?

Columnists say the darndest things. But Brooks’ is not a lone voice. There is an active discussion in the US about Snowden’s motives, his girlfriend and whether he has committed “treason”.

Some perspective, please. Snowden’s character is irrelevant to the question of how powerful security agencies should be in a free country. Those who try to play down, dismiss or deflect this scandal are simply the willing tools of state power.

Just as despicable is the claim (heard occasionally from the left) that citizens have abandoned their right to privacy by handing personal information to companies. Talk about blaming the victim. We share stuff on Facebook, so it’s our fault the government is out of control?

The surveillance scandal is an important moment. Even the most gung-ho conservatives in the US are having second thoughts about the national security state.

Let’s hope that scepticism trickles down to Australia.

It’s About More Than Just Phone Hacking … Unfortunately

If you want to know what actually happened in the British phone hacking scandal, you won’t find it in the Leveson inquiry report released last Thursday.

The report comprises almost 2,000 pages; it’s spread across four volumes and has 59 separate chapters. It has a lot of stuff about media history and ethics and philosophy; a lot of hand-wringing about press “culture” and personal friendships between Fleet Street and Westminster.

But not a lot about who committed what crime and when.

For instance, the fact that Rebekah Brooks and Andy Coulson (both ex-News of the World editors) are in court this week facing charges of corrupt payments to public officials does not inform the report.

Nor the fact that at least three public officials have been arrested for misconduct in a public office – that is, corruption.

Lord Justice Leveson is recommending statutory regulation of the press before his inquiry has gotten to the bottom of the phone hacking scandal.

Even by the woolly standards of judge-led policy advocacy, this is pretty stark. Especially considering his proposals would be a reversal of the four-century-old victory of free press over state power.

The Leveson inquiry’s terms of reference are split in two. Part 1 looks at the “culture, practices, and ethics of the press”. Part 2 investigates the specific allegations of unlawful conduct and corrupt payments between press and police.

This is the real issue, as I argued in July last year. Criminal acts are a bad thing and should be punished. But criminal acts with the assistance of police are much, much more disconcerting. Thursday’s report is Part 1. Part 2 hasn’t even started yet.

Operation Elveden – the Metropolitan Police Department’s investigation into corruption in the police force – is ongoing. Leveson writes that he doesn’t want to step on its toes. Repeatedly throughout the report, witnesses suggest serious things. For instance, unnamed senior officers are “rumoured to be corrupt”, but the story ends there, “for fear of undermining what could be an ongoing investigation”.

Still, the first report reveals a litany of errors, misjudgements and bureaucratic backside-covering that allowed the scandal to build before it exploded in 2011.

Between 2001 and 2003, the Devon and Cornwall Police discovered a ring of retired and serving police officers selling information from police databases to private investigators. The investigators were then selling that information to various clients, some of whom were journalists.

Such privacy breaches are not unusual. Over the last decade, more than 200 Metropolitan police officers and civilian administrators have been disciplined for wrongfully accessing the Police National Database. The current commissioner described this to the Leveson inquiry as a “chronic problem”.

But when the Devon and Cornwall Police cases went to court, the judges let the accused go with conditional discharges. They didn’t even get fined.

When the story surfaced again in 2006 (this time the Royal family was claiming its private phone messages were being listened to) memory of the pathetic sentences given to the earlier cases meant the London police were reluctant to aggressively push their investigations. It just wasn’t worth the effort. That, and Britain was at the height of the anti-terrorism campaign. In the wake of the London bombings, chasing privacy prosecutions was less a priority than hunting violent Islamists.

Still, one reporter – News of the World’s “one rogue reporter” – was prosecuted. As part of its investigations, the police found a huge list of potential victims, but it failed to notify them.
Three years later, the Guardian and the New York Times published allegations of widespread phone hacking. This time, the police stonewalled. The issue had already been dealt with. To admit that there was more to the case was to admit that they were wrong to draw a line under the rogue reporter in 2006.

The Milly Dowler story erupted in July 2011. The police had been in possession of seized documents with her name – and Hugh Grant’s name – since the first investigations in 2003.

I’ve dwelled on this timeline because it is the closest the Leveson report gets to an exploration of the specific failures that led to the phone hacking scandal.

It’s all well and good to wax lyrical about ethics and press culture. But if we want to link problem to solution – a basic requirement in the development of good public policy – we have to know what actually caused the events we’re concerned about.

And too much of the Leveson report is divorced from the phone hacking itself. You can understand why David Cameron offered Leveson such a wide brief – he was embarrassed about his relationship to the now disgraced Andy Coulson. But the distance between scandal detail and regulatory proposals undermines the point of the whole inquiry.

To be fair, Leveson’s effort is far better than Australia’s Finkelstein inquiry. Here, Justice Ray Finkelstein wasn’t even given a scandal to work with – he had to construct a justification for press regulation out of thin air. Where Britain had the Milly Dowler case, Australia had the vibe of the thing.

So it is not insignificant that the Finkelstein and Leveson recommendations were so similar: statutory regulation of the press disguised as “self-regulation”. In the UK this is apparently the solution to widespread criminality. In Australia it is apparently a solution to … well, what exactly? The strongest case Finkelstein could come up with was that newspapers gave an unbalanced presentation of climate science.

But there’s a vocal group of people who want a new regulator backed by government, so that’s what gets recommended. Is there anybody who didn’t think Leveson or Finkelstein would call for new regulation? The only suspense has been for the details.

Last week David Cameron rejected those details – he would not cross the Rubicon into press regulation. Hopefully, Julia Gillard and Stephen Conroy will do the same.

Privacy To Be Sacrificed As Roxon Takes Liberties With Our Freedoms

Last week Attorney-General Nicola Roxon argued for one of the most significant attacks on civil liberty in Australian history – internet data retention.

There aren’t many details yet. From what we can tell, the government wants to force all internet service providers to record details about every email their customers send, every website they visit, and every communication they make.

The providers will have to store those records for up to two years, just in case the police or the Commonwealth spy agency ASIO want to look at them later.

This data retention scheme would be an institutionalised, systematic invasion of our privacy – at least as bad as the Hawke government’s proposed Australia Card was in the 1980s. And it is certainly scarier than any of John Howard’s post-September 11 security laws.

Admittedly, data retention is not an original Australian idea. Similar policies have been implemented across Europe. But their record is not flattering. Germany’s parliamentary research unit surveyed European crime statistics between 2005 and 2010 and could not find any evidence to suggest data retention was helping solve crimes. And several European countries have even found data retention unconstitutional. In 2009 the Constitutional Court of Romania found that “continuous limitation of the privacy right … makes the essence of the right disappear”. In other words, data retention is so pervasive that it eliminates privacy. You can understand why Romanians would be sensitive. They suffered under communist police state surveillance for nearly half a century.

The idea behind data retention is to try to replicate for the internet what police have enjoyed with telephone calls for decades – access to records of who we called and when. Yet there’s a big difference between phones and the internet. Telephone companies keep those records in order to bill us. So phone records already exist. Internet data retention would require companies to create a giant new database of what their customers were doing online.

This database would be many times larger and much more revealing. Most Australians make a couple of calls a day. But we send and receive dozens of emails. We visit hundreds of websites. In 2012 we do everything from banking, to researching health concerns online. The internet is nothing like a telephone.

On top of this, the government wants internet providers to take responsibility for keeping these vast new information archives secure. But there are hundreds of internet companies in Australia. Many of them are tiny. Few of them are security specialists.

The Attorney-General argued on Tuesday last week that the police needed all this new surveillance to tackle identity theft. This is clever: we need to destroy privacy in order to save it. But it is nonsense.

These new databases would be attractive targets for those very identity thieves. Criminals could just crack the security of a small internet provider. We’ve seen in the past few years how insecure corporate data can be. Even big firms struggle with security.

Making their case, Roxon and her A-G’s Department say they need to “modernise” their powers to deal with cybercrime. Yet the urgent need to modernise this law would be more convincing if it wasn’t for the fact that the 1979 Telecommunications Interception Act has been “modernised” 64 separate times since then. It has been changed on average twice a year for three decades. Indeed, the last modernisation was as recently as August.

Roxon is talking about more surveillance powers literally a fortnight after she has been granted new ones. Our Attorney-General must know this. So when will enough be enough?

Anyway, the August reform gave law enforcement agencies exactly what Roxon claims they need: the flexibility to investigate crime online. Now if police identify a suspect, they can order internet companies to log the data of specific individuals. Such targeted data preservation is reasonable. It’s like traditional phone tapping. Police get investigative powers, but don’t treat every Australian as a criminal.

Internet data retention isn’t the only new weapon the government wants. A parliamentary committee is currently considering a government discussion paper with dozens of complex proposals to extend security power over the internet. The discussion paper makes some stunning claims. Apparently, some limits on ASIO and the police merely “reflect historical concerns about corruption and the misuse of covert powers”.

Are those concerns really out of date? Politicians like to talk about balancing the need for security and the need for liberty, as if they are shouldering a heavy philosophical burden. Yet it seems new laws only ever satisfy the former. Liberty loses, inevitably, every time.

Opening statement to Parliamentary Joint Committee on Intelligence and Security Potential reforms of national security legislation

With Simon Breheny

The suite of policies proposed in the Attorney-General’s discussion paper add up to one of the most significant attacks on civil liberties in Australian history. Many of the proposals breach the rule of law, severely curb civil liberties and threaten freedom of speech. Our submission focused on the data retention proposal. We were disturbed to see the Attorney-General support this proposal yesterday. In our view, the data retention proposal is a much greater threat to privacy than even the proposed Australia Card was in the 1980s. The complexity of these discussion papers’ proposals is significant. Many of them interact with multiple pieces of legislation. Few have been elaborated or justified. They should be dealt with separately, with separate legislation and separate inquiries. The burden of proof rests on the government to prove to the public that after 10 years of continuous, unrelenting increases in national security power—the last major change was as recently as August this year—there is still a clear need for such extraordinary changes. Almost every single proposal in the discussion paper has serious problems. For instance, the proposal to establish an offence for failure to assist in the decryption of communications is a clear abrogation of the government’s responsibility to uphold the privilege against self-incrimination and the right to silence—vital features of our criminal justice system. We call on this committee to reject this proposal.

We also oppose the default extended period for warrants from 90 days to six months, the lowering of thresholds for obtaining warrants, the power of the Attorney-General to unilaterally vary warrants and the power of ASIO to move, alter or delete data. But the most extraordinary proposal we would like to talk about is that of data retention. This draconian proposal for mandated and indiscriminate retention of the online data of all Australians is completely lacking in proportionality, undermines basic freedoms and is in fundamental conflict with the right to privacy. Extraordinary claims require extraordinary evidence, yet no evidence has been presented to justify one of the world’s most onerous data retention regimes. Abstract references to emerging threats and cybercrime are patronisingly insufficient as justification for such an extreme example of state power.

The collection and storage of data by internet service providers also creates a considerable data security problem. Rather than dispersing information, data retention creates silos of information begging to be attacked by the very criminals this proposal seeks to limit. Many European nations have had data retention regimes in place for a number of years. A study conducted over a five-year period, from 2005 to 2010, found no statistically significant increase in crime clearance rates in countries that had adopted data retention. ‘Australians should not allow themselves to be bullied into accepting a proposal which has ominous implications and particularly a grave temptation for abuse by the government.’ That was said by the IPA in 1986 in relation to the proposed Australia card, and the same holds true for the proposals being considered here today.