Medicare details available on dark web is just tip of data breach iceberg

Modern governments use a lot of data. A lot. Our social services are organised by massive databases. Health, welfare, education and the pension all require reams of information about identity, social needs, eligibility, and entitlement.

Our infrastructure is managed by massive databases holding information about traffic flows, public transport usage, communications networks, and population flows.

Our security is maintained by complex information systems managing defence assets, intelligence data, and capabilities and deployment information.

We should be thinking about these enormous data holdings when we read the news that thieves have been selling Medicare numbers linked to identities on the “dark web” – a mostly untraceable anonymous corner of the internet.

That last detail is what has made this such a scandal for the government, as Human Services Minister Alan Tudge and the Australian Federal Police have scrambled to identity the systems’ weaknesses.

But the fact that the Medicare numbers are being sold is the only thing that makes this an unusual data security breach. Australian government databases are constantly being accessed by people who are not authorised to do so.

Here’s just a taste. Last year the Queensland Crime and Corruption Commission revealed it had laid 81 criminal charges and 11 disciplinary recommendations in the space of 12 months for unauthorised access to confidential information by police. One of those was a police officer who had been trawling through crime databases looking for information about people he had met on a dating service. He was convicted of 50 charges of unauthorised access.

A Queensland police officer was disciplined in May this year for using the police database to share the address of a woman with her husband who was subject to a restraining order.

The Victorian government’s police database was wrongly accessed 214 times between 2008 and 2013, by “hundreds” of officers.

Earlier this year 12 staff were fired from the Australian Taxation Office for accessing tax data on celebrities and people they knew.

We could go on. These of course are the instances we know about because they have been detected and reported on. There are undoubtedly others.

Governments manage a lot of data because we ask them to do it a lot, and to do what they do well.

They run thousands of complex systems. Many of these systems have been jerry-rigged and adapted from earlier systems, a series of politicised, over-budget and under-delivering IT projects stacked on top of each other over decades.

But these repeated episodes of unauthorised access show that these complex systems are in dire need of reform.

It is clear that the “permission” structures on these government databases are deeply broken.

In the debate over mandatory data retention one of the big questions was whether law enforcement and regulatory agencies should have to obtain a warrant before accessing stored data. In the end the government decided no warrant was necessary – because warrants could only slow down investigations.

This is exactly the sort of loose permission structure that leads to abuse. Just two weeks after data retention officially came into effect this April, the Australian Federal Police admitted one of its members had illegally accessed the metadata of a journalist.

This breach was entirely predictable. Data retention opponents repeatedly predicted it.

Last week’s Medicare breach has been made possible because thousands and thousands of people – bureaucrats, health professionals, and so on – can access the Medicare database. Most police officers, bureaucrats, and health professionals are trustworthy. But it only takes a few bad actors to wreck a system built on trust.

Rather than leaving data access up to the discretion of thousands of people, we need stricter codified rules on data access. Government databases need to be restructured to prevent, not simply penalise, government employees from going on fishing expeditions through our data.

The point isn’t to provide a legal or technological fix to the problem of unauthorised access. Rather, we should completely reimagine who owns the information that the government keeps on all of us. We ought to own and control our information, not the state.

New cryptographic technologies increasingly being applied to blockchain and cryptocurrency applications allow for even greater personal control over information. If applied, they would only allow government agents to know exactly what they need to know.

And it would move us from a system of surveillance and big data, to one of personal disclosure and privacy.

In the past, economic reform was targeted at big sectors like banking, telecommunications, and trade.

As Australian governments evolve inevitably into complex information brokers, the next wave of reform will have to focus on data management.

If You’re Worried About Privacy, You Should Worry About The 2016 Census

If you blinked, you missed it. On December 18 last year, the Australia Bureau of Statistics announced that at the 2016 census in August it would, for the first time, retain all the names and addresses it has collected “to enable a richer and dynamic statistical picture of Australia”.

Keeping names and addresses, we were quietly told, would enable government planners to do more rigorous studies of social trends.

It is only now that the significance of the ABS’s change is spilling out into the press.

For the past 45 years, it has been the ABS’s practice to destroy that identifying information as soon as all other information on the census forms is transcribed – first onto magnetic tape, and now into vast digital data banks that allow statisticians to slice and dice at their whim.

In the 2001 census, the government first offered Australians a choice as to whether they would like their name-identified information kept. This year that opt-in system will be a compulsory system. Your name will be kept whether you like it or not.

The risks to privacy are blindingly obvious. The safest way to protect data is to not collect it at all. The second safest way is destroy that data after collection. There is no such thing as 100 per cent safely secured information. We know this from bitter experience. The last decade has seen a constant stream of unauthorised releases of apparently secure private information: the 2015 Ashley Madison hack being just the most embarrassing of these.

After all, privacy risks don’t only come from hackers and other rogues. Government departments have a poor record of protecting information from their own staff. The Department of Human Services admitted there were 63 episodes of unauthorised access to private files by its staff between July 2012 and March 2013. The South Australian Police Force accuses up to 100 of its own members of unauthorised access to police files every single year. ABS staff are no more or less virtuous than any other public employee.

The ABS argues that identification information will be stored safely and separately from the rest of the census data, creating a firewall that protects against individual identification. A spokesperson told Radio National last week that the ABS “never has and never will release information that is personally identifiable”.

There are a lot of unanswered questions here. But no matter what firewalls the ABS places around access and matching, it is a truism that any data that can be used usefully can also be used illegitimately.

And of course, what are considered legitimate and illegitimate uses of data can change over time. Rules written in 2016 could be changed in 2026. The data collected now might be used in a very different way down the track.

Identification retention could have practical consequences as well. A population that is rightly worried about the security of their information is less likely to answer the census either accurately or at all. Indeed, this has historically been the ABS’s big concern with keeping identification. They told a parliamentary committee in 1998 that the reduction in data quality from a reluctance to answer questions truthfully was not worth the trade-off.

A lower quality census would lead to lower quality government statistics across the board. A lot of things hang off the census. Census data guides electoral redistributions, Commonwealth grants, education funding and so on. Risking the integrity of all that in the hope that future data might be marginally more interesting to genealogical researchers and government planners seems like a terrible deal.

Although they profess to have changed their mind on the risk of lower quality data, we can speculate these concerns might be why the ABS announced the new policy in the dead holiday season. The less publicity given to the change, the less likely Australians are going to hear enough about the new census rules to be worried about their privacy.

While the Coalition’s support for traditional rights and freedoms has taken a battering over the past few years, overriding the ABS decision would go some way to reclaiming its liberal heritage.

After all, it was a Liberal Treasurer, Billy Snedden, who first mandated the destruction of names and addresses in census forms in 1971 in response to privacy concerns. And Cabinet records show the Fraser government – at the behest of treasurer John Howard – unhesitatingly and immediately rejecting a 1979 proposal by the law reform commission to retain census names and addresses.

The digitisation of absolutely everything has made privacy one of the central problems of the 21st century. If anything, Australians are more aware of the dangers of identity theft and information insecurity than they have been at any time in history.

As the ABS change shows, the debate over warrantless mandatory data retention was just the tip of the iceberg.

It is true that modern governments are data hungry. Planners and regulators want more and more information about the populations they govern.

But to the extent we have an interest in protecting ourselves against government excesses, we have an interest in denying governments carte blanche to collect information. We are not just data points in a planner’s spreadsheet. They work for us.

Communications Minister Malcolm Turnbull’s Metadata Move Will Aid Regulators, Not Security

The Abbott government has rightly focused on red tape reduction and deregulation.

But Communications Minister Malcolm Turnbull could well preside over one of the largest increases in the regulatory burden since the telecommunications market was liberalised two decades ago.

At the very moment when Turnbull seems to have cleaned up the mess that was the national broadband network, his mandatory data retention policy puts the entire competitive dynamic of the Australian telecommunications sector at stake.

Terrorism is a very real problem. The existence of the Islamic State in Iraq and Syria has heightened the terror threat. If there are serious gaps in our anti-terror law framework, they should be filled. The government has spent the past six months doing so.

However, the data retention bill the government has put forward – which requires telecommunications providers to store masses of data on their customers for no other purpose than if a law enforcement agency or regulator wants to have a look at it in the future – is not a targeted anti-terror law.

If data retention is just for terrorism, the government could legislate to ensure it was just for terrorism. But from what we know, both the Australian Competition and Consumer Commission and the Australian Securities and Investment Commission are likely to get access to the new data.

Indeed, over the half a decade that data retention has been debated, its most fervent advocates have been economic regulators, not counter-terror agencies.

One draft data set (even as Parliament is set to vote on the bill, we still don’t know what the final data set to be retained will be) included a requirement to store records of “download volumes” for two years. What anti-terror benefit would that add? Download volumes would useful in copyright infringement cases.

The threat data retention poses to privacy has been widely discussed. But data retention is, first and foremost, a new economic regulation. So let’s treat it as sceptically as we would any increase in the regulatory burden on business.

Prime Minister Tony Abbott has said that the cost of data retention would be around $300 to $400 million, or just 1 per cent of the total revenue of the telecommunications industry.

This is a very significant amount of money. Telcos are already some of the most highly regulated firms in the country.

Turnbull has suggested government will contribute substantially to the cost of implementing data retention. But whether we pay for data retention through internet bills or just general taxation, we’ll still pay for it.

This new burden could dramatically reshape the telecommunications sector. All else being equal, large firms, with their well-established regulatory teams, are able to comply with new regulation much easier than small firms, which lack the economies of scale to absorb costs.

The unfortunate result of burdensome regulation is push smaller firms out of the market, reducing competition as they disappear. Less competition will, in the long run, result in higher prices.

In the case of data retention, it isn’t just size however that matters. Some telcos have more complex networks and technologies and legacy systems – think of Telstra – for whom imposing these new requirements might be disproportionately expensive.

Turnbull and Attorney-General George Brandis claim that mandatory data retention will require telcos to store no more data than some firms do already – just store it for a bit longer.

It’s not clear which firms they’re referring to. The entire industry has been up in arms about data retention. The proposed policy is not just a minor extension of existing practice.

Nevertheless, there’s a reason some telcos store data more than others. The smallest internet service providers survive by keeping their data storage and infrastructure costs as low as possible, hoping to pull customers away from the big firms with lower prices or better service.

For the law enforcement and regulatory agencies that have spent the past six years lobbying for data retention, regulatory compliance costs are an abstract second-order issue.

But for internet users and taxpayers, who will be charged higher prices by a declining number of internet service providers, the economic effect of mandatory data retention is a big deal.

Retain Our Privacy, Not Our Data

Australian Federal Police Assistant Commissioner Tim Morris told an audience at the weekend that “those with nothing to hide have nothing to fear”.

This was written up in Fairfax papers as “carefully worded case” for the Government’s mandatory data retention policy.

Now, every piece of evidence we have suggests the terrorist threat right now is severe. It might be growing.

But Morris’s statement is a worry. It lacks all sense of proportionality – essential when crafting security policy.

More importantly, it shows how poorly defended our privacy rights are. Are we really at the stage where we even have to justify the very existence of private spaces – spaces where we are hidden from the all-seeing state?

It is true that the value of privacy is conceptually difficult. We’re constantly trading away privacy for other goals.

Whenever we provide our details to someone at a call centre, share secrets with friends, interact with governments, even simply go outside, we’re in some small way relinquishing control over our own personal information; allowing others to see or know details about ourselves that might otherwise be secured.

It’s particularly difficult today, when we have more opportunities than ever to share information – and the authorities have more capacity than ever to obtain information about us without our consent.

So many people dismiss privacy as a sort of anachronism: either a lost cause or something that only a recluse would care about. Privacy is dead. You’ve heard this before.

But I’ll bet even AFP assistant commissioners secure their internet banking passwords and close their blinds at night.

Privacy fulfils a deep psychological need. Society demands that we mask our true selves and moderate our behaviour when we interact with others. Social norms regulate how we act in public. In many ways these norms are valuable because they ensure a well-ordered public space.

But those norms can also be stifling. We need a space of our own as relief from the judgment of others, if nothing else.

Indeed, the move towards toleration for identity that violated current social attitudes – like homosexuality – was begun by defending the privacy of one’s own home.

Happily we’ve moved past the days where sexuality is just a matter of what people do behind closed doors. But we shouldn’t forget how for such a long time privacy offered protection against an oppressive society.

The need for privacy seems to be an innate part of the human condition. Ethnographers have found that privacy is a universal cultural attribute.

And if you believe in individual freedom – if you believe in any way that we should protect the rights of the individual against the collective – you should be very jealous of any coercive encroachments on the private realm.

As the sociologist Wolfgang Sofsky writes:

Privacy is the citadel of personal freedom. It provides defence against expropriation, importunity, and imposition, against power and coercion.

With all this in mind, the nothing-to-hide, nothing-to-fear argument is truly creepy.

Think of all the assumptions that underpin it.

First: you have to know what you’re doing is wrong. Second: you have to agree that what you are doing is wrong. Third: you have to trust government agents to only violate the privacy of the bad guys. Fourth: you have to trust government agents to not misuse what they find when they observe you. Fifth: you have to believe that only government agents are able to observe you.

These assumptions are questionable, to say the least.

Attorney-General George Brandis has been assuring us we can trust the Government, but that’s not very satisfactory.

Anyway, government agents aren’t the only people who might access data kept under data retention laws.

What about rogue staff of internet service providers? Or hackers attracted to these giant new honey-pots of data? Or private litigants? Data kept under data retention laws will be available in civil litigation as well.

In his national security statement on Monday Tony Abbott flagged further legislation clamping down on “organisations that incite religious or racial hatred” and signalled his intention to strengthen “prohibitions on vilifying, intimidating or inciting hatred”.

But the Government passed legislation that, we were told, was intended to do pretty much the same thing. I argued on The Drum in September that new limits on “advocacy of terrorism” were redundant at best, dangerous at worst.

Who knows what this next tranche of laws outlawing advocacy of terrorism are supposed to add.

But recall the first assumption of the nothing-to-hide argument. You have to know what you are doing is wrong.

With speech prohibitions growing as fast as legislators can draft them, there’s every reason to be afraid for our privacy, and every reason to care when it is taken from us.

Submission to Parliamentary Joint Committee on Intelligence and Security Inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014

Introduction: Recent terrorist attacks have emphasised the need for counter-terrorism and law enforcement policy to be flexible, robust, and up-to-date. The rise of Islamic State is a significant threat, materially changing the foreign fighter problem. Many of the government’s recent anti-terror law changes have been welcome and necessary. As I argued in December 2014, the “knee-jerk reaction against any and all national security changes is not merely wrong, it’s dangerous. There is no more basic responsibility of government than security.”

However, The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (“data retention bill”) will mandate the creation of large databases of information about the activities of all Australian internet users, not just those suspected of criminal activity.

The information contained in these databases will be sufficient to reconstruct extremely deep profiles of the activities of internet users. The information within the databases will be potentially available in any court proceeding, including, for instance, as the result of a subpoena in civil litigation. The government has made a decision not to limit access to this information to national security purposes. The creation of these databases manifests substantial new privacy risks to Australians, both from lawful and unlawful access.

The government has not demonstrated that the risks and consequences of mandatory data retention outweigh the benefits to law enforcement, nor has it demonstrated that the existing legal framework – which was substantially revised in 2012 – is insufficient to tackle the security challenges which the government has identified.

Available in PDF here.

The Jig Is Up On Data Retention Plans

Last week was the second time the Government announced its mandatory data retention policy, and the second time it gave the game away while doing so.

Data retention keeps spinning out of the Government’s control.

First, in August, Tony Abbott admitted in a television interview that requiring internet service providers to retain data on their customers’ activity was not just about anti-terrorism and national security but could be used to fight “general crime”.

This time the mistake was made not by politicians but by the Australian Federal Police commissioner Andrew Colvin.

Asked whether data retention could be used to police copyright infringement, Colvin responded:

Absolutely, I mean any interface, any connection somebody has over the internet, we need to be able to identify the parties to that connection … So illegal downloads, piracy … cyber-crimes, cyber-security, all these matters and our ability to investigate them is absolutely pinned to our ability to retrieve and use metadata.

Over the next few days George Brandis, Malcolm Turnbull and Colvin tried to roll this back. Copyright is a civil wrong, not a criminal one, they said. Copyright holders are responsible for bringing legal action against pirates. The AFP isn’t interested in civil cases. (This is only partly true. Commercial scale copyright infringement is a criminal offence.)

But here’s why Colvin’s misstep matters.

Mandatory data retention would create massive new databases of internet users’ activity in every internet service provider across the country.

A lot of opponents of data retention have pointed out that this creates a very real risk of unauthorised access. It’s hard to keep data secure.

Yet just as concerning is authorised access. Once these databases have been created they will be one subpoena away from access in any and every private lawsuit.

Many people have some residual faith that police and security services are benevolent. After all, their mission is absolutely essential – to protect us. But do Australians have the same faith in movie studios? Their neighbours? Their employers?

After all, it’s been undeniable that data retention could help copyright infringement cases ever since the Government included “download volumes” in the list of data it wanted ISPs to retain.

But this is just getting started. Think about how useful mandatory data retention might be in other civil cases.

It would be easy to trace where somebody has been based on the source IP addresses of their mobile phone, as the phone moves from cell tower to cell tower, connecting and reconnecting to the network and internet every time.

In other words, under mandatory data retention ISPs will have to keep records of your movements for two years.

Imagine how this sort of information might be used, for instance, in a workplace relations lawsuit.

Likewise, online defamation cases will be strengthened by records that match IP address to account holder. Do you sometimes comment anonymously on blogs and news websites? Under data retention lawyers could track down who you are months after the fact.

We could go on.

Remember the Government wants this data stored solely for the purpose of future law enforcement investigations. It would be deleted otherwise. It has no business purpose.

Yet not everything about the policy the Government announced last week is terrible.

It was long assumed that data retention would be shoehorned into the existing telecommunications access regime – the regime that allows agencies and authorities from ASIO to the RSPCA to access your phone records without needing a warrant.

Instead, the Government has decided to change that regime.

The proposed bill limits warrantless access to the both the existing set of data, and any future data retained under the new policy, to “criminal law enforcement agencies”. Those agencies are the AFP, Customs, state police, and the state anti-corruption commissions. (You can see the list in the explanatory memorandum here, paragraph 197.)

The upshot is that the RSPCA will no longer have warrantless access to phone records. Nor will the Australian Competition and Consumer Commission, the Australian Securities and Investment Commission, or any of the dozens of bodies that have enjoyed such access for years.

They, like movie studios and your neighbours, would have to ask a judge for permission.

I’d guess there was a fair bit of jaw-dropping in bureaucracies across the country when Brandis and Turnbull announced that new rule.

Now, the legislation allows the Government to authorise more agencies at will, so the list could easily expand.

Still it is a striking admission that there has been too much access to too much data by too many bureaucrats for too long.

And that’s why the new limits on agency access to telecommunications data doesn’t compensate for the threat to civil liberties that is mandatory data retention. Fewer agencies, sure, but with access to a much more complete record of our lives.

One of the clichés of the internet era is that “information wants to be free”. But information doesn’t want anything, of course. People want information.

Data retention will create vast archives of data about what we have done and where we have been. People will definitely want that.

Surveillance and Privacy

In August 2014, the Australian government announced it intended to require internet service providers to retain “metadata” on every customer for two years for the use of law enforcement.

A first pass at this policy, offered by Prime Minister Tony Abbott and Attorney-General George Brandis, suggested the government wanted ISPs to collect the internet browsing history of all users. A second, evidently revised version of the policy was announced a few days later by the Communications Minister Malcolm Turnbull. The new version was much narrower.

Neither variation of the proposal is an Antipodean invention. In 2006 the European Union’s 2006 Data Retention Directive required EU member states to introduce similar sorts of mandatory data retention laws.

These proposals come on top of the revelations about the United States’ National Security Agency’s vast global surveillance apparatus.

Democratic countries are now faced with fundamental questions. Can the right to privacy survive the expansion of the surveillance state? Or more fundamentally, is privacy a value worth protecting?

There’s a claim you often hear in discussions about privacy: someone who has done nothing wrong has nothing to hide. In other words, privacy is only a concern for those who are avoiding the law.

To the extent it is a serious argument, this claim has some serious practical problems. First, it presumes that we can trust government agents to uphold their duties fairly. That is not a trust which has been especially earned. Second, it ignores the fact that the expanding reach of public law, the over-criminalisation of minor rule-breaking and the expanding scope of the regulatory state has bought more and more activity into the realm of the justice system. Finally, law enforcement agencies and regulators operate as much by discretion as they do by commandment. Not every law or regulation is just, or justly enforced. It is not always obvious when you are doing wrong.

But more significantly, privacy is necessary for more than just the evasion of legitimate or illegitimate government action.

There is no consensus on how privacy ought to be defined, what its central attributes are and how it ought to be balanced with other principles such as the right to freedom of speech. Privacy is a condition; and a highly subjective and context dependent one at that.

But we all require privacy to function and thrive. Let’s start with the mundane. Obviously we desire to keep personal details safe – credit card details, internet passwords – to protect ourselves against identity theft. On top of this, we seek to protect ourselves against the judgment or observation of others. We close the door to the bathroom. We act differently with intimates than we do with colleagues. We often protect our thoughts, the details of our relationships, our preferences, from prevailing social norms. We compartmentalise. How many people would be uncomfortable with a colleague flipping through their mobile phone – with the window into a life that such access would provide?

Public life is one in which we all play roles, heavily mediated by social norms, assessments or assumptions about the values of our peers. Private life is a respite from that mediated world – a place we can drop our masks, abandon the petty deceptions that are necessary for smooth social interaction.

This desire for privacy applies to communications as well. Eroding privacy undermines our liberty to speak our minds. Thus, government surveillance interferes with the free-ness of speech. The feeling – real or imagined – that we are being watched, or that our actions are being recorded, affects the way we express ourselves. One 1975 study examined how the knowledge of surveillance changed stated attitudes on moral and legal questions. The study concluded that “the threat or actuality of government surveillance may psychologically inhibit freedom of speech”.

The legal scholar Louis B Schwartz illustrated how entangled free speech and privacy are by describing the characteristics of communication in private: “Free conversation is often characterized by exaggeration, obscenity, agreeable falsehoods, and the expression of anti-social desires or views not intended to be taken seriously. The unedited quality of conversation is essential if it is to preserve its intimate, personal and informal character.”

The belief that a speaker might have to answer for, or justify, their speech, especially their speech to those with whom they have an intimate or close relationship, is a constraint on that speech. We all understand how easy it is for others to misinterpret our words, and how speech can be willingly misconstrued. As Cardinal Richelieu put it in his famous (and possibly apocryphal) words, “If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.”

What does this mean for the debate over surveillance? As the recent debate over mandatory data retention has shown, the law governing telecommunications interception is complex, and the technologies it applies to even more so. On top of these technical and legal complexities, the nature of the national security threat is unclear. National security is a highly opaque area of public policy.

That opacity means the surveillance state is hard to control by democratic means. In their book Privacy on the Line, Whitfield Diffie and Susan Eva Landau argued that the “very invisibility on which electronic surveillance depends for its effectiveness makes it evasive of oversight and readily adaptable to malign uses.” The Princeton academic Rahul Sagar has concluded that the challenge of democratic control is so great that we mostly have to rely on whistleblowers to learn what the surveillance state is doing in our name.

In April 2014 the European Court of Justice ruled that Europe’s Data Retention Directive was unconstitutional. In the court’s view, the directive “interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data” and did so in a manner that was disproportionate to its stated objective of fighting serious crime.

Mandatory data retention has been wound back in many of the states that implemented it, in part because of the civil liberties issues raised by the European Court of Justice, and in part because the policy has not been a particularly effective law enforcement tool.

For Australia, that record, and the importance of privacy to individual flourishing, ought to create a presumption against the expansion of the surveillance state.

Going Against The Grain On Data Retention

George Brandis claimed last month that data retention was “the way Western nations are going”, but the opposite is true. Australia would be going against the grain, writes Chris Berg.

It would have been good if, at their press conference last Friday, the Australian Security Intelligence Organisation and the Australian Federal Police had been joined by all the other government bureaucracies that passionately support mandatory internet data retention.

Because data retention is not about national security. It’s about collecting data on every Australian for every law enforcement and regulatory compliance agency to use. And for everything from serious crimes to trivial infractions.

So David Irvine of ASIO and Andrew Colvin of the AFP could have been joined by Chris Jordan of the Australian Taxation Office, Rod Sims of the Australian Competition and Consumer Commission, and Greg Medcraft of the Australian Securities and Investment Commission. All have been pushing for data retention in committee hearings and inquiries.

And then, for completeness, we could have had a few of the dozens of state and federal agencies who currently enjoy authorised access to private communications data under the existing Telecommunications (Interception and Access) Act.

Squeeze on stage the Western Australian Department of Fisheries, Racing Queensland, New South Wales Health Care Complaints Commission, RSPCA South Australia, and Wyndham City Council. They would all be beneficiaries of mandatory data retention.

In other words, data retention is hardly a targeted anti-terrorism measure.

There were, in fact, two separate data retention proposals last week.

The first was announced by Tony Abbott and George Brandis on Tuesday. We’ve all seen the muddled interviews but the broad strokes of the policy itself were relatively clear. The Government was planning to force internet service providers to record both the internet protocol (IP) addresses of their customers and the IP addresses of the websites that those consumers visited.

This is sometimes known as “session logging”, or more popularly as “browsing history”.

Abbott and Brandis clearly left the National Security Committee last Monday night, and Cabinet on Tuesday, thinking session logging was what had been agreed to – it was the “in-principle decision”.

Then something changed. A second proposal was announced by Malcolm Turnbull, and confirmed at the ASIO and AFP conference on Friday. In this, the only data that is to be kept is IP addresses matched to customer details. Not a record of all the sites the customers visit.

With the data provided by the Abbott-Brandis session logging policy, it would be possible to map out a person’s entire world. No ISP keeps such a record of its customers’ online lives. Why would it? Anyway, doing so would be in breach of Australian Privacy Principles, which state that no more information ought to be kept than is necessary for business purposes.

The Turnbull policy is still useful for law enforcement, but much, much narrower. It’s only a small step away from billing information. And a few ISPs do keep this data. Storing it consistently might be expensive – very expensive for some ISPs – but it’s hardly the giant threat to privacy and liberty that the Abbott and Brandis policy constitutes.

Most importantly, it is not the mandatory data retention policy proposal that has been on the table for years – large-scale session logging – the policy that Malcolm Turnbull described in 2012 as “the latest effort by the Gillard government to restrain freedom of speech”.

Thank goodness.

As Bernard Keane has found, the Attorney-General’s Department has been pushing for the full version of data retention since at least 2008.

The intellectual genesis of this policy goes back 2006, when the European Union passed the Data Retention Directive. (Australians rarely come up with these ideas themselves.)

The directive instructed all EU member states to retain large quantities of communications data – both source and destination – for the investigation of “serious crime”. You can read it here. Article 5 outlines how just how large those quantities were to be.

European countries did as they were told.

Their experience shows that Tony Abbott was spot on when he said on Wednesday that data retention was designed to fight “general crime”, not just terrorism.

In a sample 12-month period, an Austrian review found that the most common law enforcement use of retained data was for cases of theft, followed by drugs, followed by stalking. Terrorism didn’t rate.

Internet traffic data retained by Poland’s scheme is being used “more and more” for civil disputes – even divorce cases.

The Danish Justice Ministry found only two cases where session logging has been useful in half a decade. Neither concerned terrorism. Denmark gave up data retention in June this year.

Germany’s Federal Crime Agency concluded that data retention had no statistically relevant effect on crime or crime clearance. Crime continued its long-term decline even after data retention was abandoned in Germany in 2010.

We could go on. Brandis claimed last month that data retention was “the way Western nations are going” but the opposite is true. Data retention is being wound back, repealed, and abandoned. In April this year the European Court of Justice found that the EU directive was unconstitutional.

Australia already has a powerful, robust mechanism to monitor suspects online: targeted data preservation notices on the telecommunications of suspects. This regime was updated just two years ago.

But that, perhaps, is beside the point. The last week has demonstrated that the debate over telecommunications surveillance is held in widespread ignorance – ignorance about our existing capabilities, the constantly evolving legal framework, and the architecture of the internet.

Not surprising, of course. This stuff is complicated. Technology policy is hard enough. Add onto that our labyrinth telecommunications intercept laws.

But politicians ought to try to understand the laws their departments insist they introduce.

Abbott and Brandis seem to have thought that merely mentioning the word “terrorism” would be enough to ensure their policy an easy run.

Yet no matter how real the terrorist threat, the pre-emptive surveillance of every single Australian would be an extraordinary policy in every sense of the word – way outside the bounds of proportionality, and way outside the boundaries of legitimate government action in a free country.

Security Bill Widens Government Surveillance Powers

The National Security Amendment Bill (No.1) 2014, introduced into federal Parliament last month, is 128 pages long. The bill’s explanatory memorandum is larger again – 167 pages.

It’s an absolute behemoth – complex, labyrinth, and, to outsiders, entirely opaque. In that sense, the bill is a great metaphor for the massive national security apparatus that has developed since the September 11, 2001 terror attacks.

It’s also the first major piece of Australian national security law reform since Edward Snowden a year ago revealed America’s program of global and indiscriminate mass surveillance.

Timing matters. The Snowden revelations demonstrated that not everything done in our name is done in our interest – and too often it is done without any democratic scrutiny, let alone the approval of voters.

So what should voters make of the Abbott government’s new national security bill?

It seems the three most significant elements are a new power to allow spies to plant software on targeted computers, new penalties for intelligence whistleblowing, and a prohibition on anybody releasing any information about “special intelligence operations”.

But it isn’t clear what the practical implications of these powers are. Are there any boundaries on what constitutes a special intelligence operation? Could journalists be prosecuted for reporting on national security leaks? Getting details out of the government is like pulling fingernails.

National security is a unique area of public policy. It’s one of the most important functions of government. Yet citizens have very little idea of what the government does under the guise of protecting them.

So the debate over national security powers is always held under a veil of ignorance. Usually serious public policy discussion requires evidence. But when we’re talking about security those evidentiary standards go out the window. The best we get is hand-waving about terrorism and, now, Australian residents fighting in Syria. We’re told to take the government on trust.

Given that a basic principle of democracy is that governments must justify themselves to the citizenry, this is a problem. Terrorism is a real threat. But it is not a blank cheque for legislative change.

The democratic accountability problem is enhanced even further by the fact that – as the Edward Snowden leaks have demonstrated – Western governments have repeatedly lied about their national security actions and have kept hidden evidence of their own wrongdoing.

In his recent book, Secrets and Leaks: the Dilemma of State Secrecy, Princeton academic Rahul Sagar argues there are no easy ways to impose democratic accountability on the national security state.

Blind trust isn’t an option. Democracies cannot rely on blind trust. Unfortunately radical openness isn’t an option either. We don’t want the bad guys to know everything about ongoing enforcement operations.

Institutional accountability mechanisms – like parliamentary committees and independent watchdogs – are good, but they tend to be captured by the agencies they are overseeing.

Sagars conclusion is that the best we can hope is that whistleblowers expose wrongdoings.

When America’s mass surveillance program was first revealed by Snowden last year, the Obama administration instinctively responded the program was necessary to prevent terrorism.

Yet in December, 2013 the administration’s own advisory panel concluded that bulk mass surveillance “was not essential to preventing attacks” and traditional, targeted surveillance methods was sufficient. This panel was no naive civil libertarian whitewash. One member was even a former CIA deputy director.

A study by the New America Foundation – a bipartisan thinktank partly funded by the US government – concluded mass surveillance “has had no discernible impact on preventing acts of terrorism”.

Australia is one of the members of America’s Five Eyes surveillance coalition, alongside Canada, the United Kingdom and New Zealand. Unfortunately our governments have been no more honest than American administrations about the need for new security powers.

For instance, the government claims its national security bill is mostly just a long-overdue update of 1970s-era telecommunications interception law. But this argument would be more plausible if the Telecommunications (Interception and Access) Act 1979 had not been updated more than 50 separate times in the past two decades.

The bill is apparently the first of a series. Attorney-General George Brandis said last week a second tranche of reform will make it easier to prosecute Australians fighting overseas, and make it illegal to “promote” terrorism. OK. But it’s already illegal to “incite” terrorism. Is that not enough? Will the government explain, specifically, why changes are needed? Don’t hold your breath.

A third tranche is likely to introduce mandatory data retention. That policy would require internet service providers to record almost everything every Australian does on the internet, just in case law enforcement agencies – from anti-terror spies to competition regulators – decide, in the future, to have a look. Mandatory data retention is both expensive and repressive.

There will probably be a fourth tranche. Tony Abbott wants to be a tough-on-terror prime minister.

The Snowden revelations should teach us one thing. Now, more than ever, the burden of proof rests on those who say we must trade off our liberty and privacy for security. That burden has not been met.

No Vote Of Confidence In ID Laws

Policy change happens when events meet ideas.

And so it is with voter ID laws – the idea that we ought to be required to show formal identification when we vote on election day.

Currently our electoral system is based on trust. Voting simply requires a voter to state their name and have it crossed off a list.

It’s incredibly insecure. Charmingly so. Alongside the sausage sizzle, the old-fashioned electoral procedure is no small part of what creates the romanticism of Australian democracy.

On Thursday, during Senate estimates, the Australian Electoral Commission said it was referring 8000 cases of multiple voting in 2013 to the Australian Federal Police. (Voting more than once, in case you didn’t know, is illegal.)

This is a lot. After the 2010 election, only 19 cases were referred to the AFP.

After the loss of 1400 ballots in Western Australia, the reputation of the AEC – and, by implication, the integrity of the electoral system itself – is understandably shaky. There is a strong political desire to do something about the AEC. Something. Anything.

Hence the political push for voter ID laws, which are supposed to prevent multiple voting. Last month, Queensland introduced its own voter identification laws as part of its electoral reform package.

But voter ID is a non-solution to a non-problem.

Let’s start with the non-problem.

Clive Palmer reckons Australians can “vote 10, 20, 30 times if you like”. A voter could visit more than one poll booth and vote under their own name multiple times. Or they could vote multiple times by impersonating other voters, at the same or different booths.

In each case, they would be abusing the trust system. (A person could also potentially enrol multiple times. But enrolment fraud is much harder to pull off.)

Yet just because a law is occasionally broken doesn’t mean it is an urgent problem.

We know when multiple voting happens because once the election is over, the AEC compares the booths’ lists to see if some names are crossed out more than once.

The large number of multiple voters referred to the AFP this year reflects the fact that the AEC is taking the phenomenon more seriously – for political reasons – not that multiple voting is getting more common.

Sure, 8000 cases sounds like a big number. But 10,000 further multiple votes are recorded simply because of human error by booth workers.

In other words, we’re talking well within the election’s margin of error here.

The vast majority of multiple voting instances – usually above 80 per cent – are attributed to confused elderly voters, who often speak English as a second language or not at all. (This 2009 AEC paper details the findings up until the 2007 election. From the evidence given by the AEC to estimates last week that proportion is unlikely to have changed.) Only a tiny fraction of multiple voters have admitted that they were “trying out the system”. Maybe a few hundred in 2013, spread across 14 million electors.

Others say they were drunk. Okay.

One reason the AFP prosecutes so few multiple voters is because there are so few of them. Another reason is that the problem is just not consequential enough to spend scarce resources on.

It is certainly possible to imagine a scenario where multiple voting could strategically alter election results; to swing tight races and thus steal power. That seems to be the underlying concern about multiple voting.

But the concern is misplaced. In a detailed study for the New South Wales Parliament earlier this year, the University of Sydney’s Rodney Smith concluded that “stealing elections is hard … large-scale multiple voting is highly unlikely to emerge as a problem”. Our trust system might facilitate multiple voting, but such behaviour is easy to detect after the fact. Questionable election results can be disputed.

As Smith pointed out, there is no evidence to suggest that multiple voting is directed towards marginal seats, which is what we’d see if one party was trying to game the electoral system.

But Parliament is about finding solutions to problems, not figuring out whether those problems exist.

So, with the AEC’s reputation at a low ebb, there is a push for a voter ID requirement to eliminate multiple voting. The push is coming mostly from the Coalition.

Voter ID would tackle only one of the ways to multiple vote – the impersonation of other voters. It wouldn’t do anything to stop people visiting different booths under their own name. (Unless of course the lists were somehow digitally tied together and updated in real time. This would be incredibly complex, and it’s not on the table.)

Not every change to an electoral system is necessarily self-interested and anti-democratic. But that’s not a bad rule of thumb.

In the United States, voter ID requirements are used to suppress the vote of traditional Democrat constituencies: the young, poor, and minorities. Those groups are less likely to have and carry appropriate identification.

But voting is voluntary in the US. Australia’s compulsory system means voter ID would create a different dynamic. Those voters who find producing identity documents too troublesome and fail to vote will be fined for not doing so. This punishment to vote may (partly) counterbalance the disincentive of having to show identification.

The Queensland reforms allow voters to show a reasonably broad range of identity documents – not just photo ID. If none are on hand, voters would be able to sign declarations of their identity.

But you can imagine how such new rules will gum up the works on election day. Confused voters sorting through identity papers. Booth workers trying to guide non-English speaking elderly through declaration statements.

What an enormous amount of hassle and complexity to fix a non-problem. Voter ID is yet another bureaucratisation of our little democracy.