Data regime will see us funding our own surveillance
Leanne O’Donnell | 08 October 2015
Talk of ‘metadata’ has largely faded from the headlines outside the tech press. It’s a conversation that needs to continue.
From next Tuesday 13 October 2015, telcos such as Telstra, Optus and Vodafone will begin retaining your telecommunications data, as required by the data retention laws passed in March this year.
There’s also roughly 400 small internet service providers who, together with the big players, will be required to comply with these retention obligations, subject to any approved Data Retention Implementation Plan and/or any relevant exemption or variation.
There seems to be still much confusion about exactly what data is going to be retained, the scope of the laws, and who will pay.
Data associated with communications services provided by your telco, such as email, mobile and landline phone calls, VoIP and text messaging, will be retained, as will data associated with your internet activity, with the express exception of web browsing history (or destination IP addresses).
Data related to the use of third-party services such as Gmail, Skype, FaceTime and Facebook, or popular messaging apps such as WhatsApp or Wikr, are not captured by Australian retention obligations.
But mandatory data retention is also a data creation regime. Then-communications minister Malcolm Turnbull, talking to ABC radio in March,claimed: ‘The only thing the data retention law is requiring is that types of metadata which are currently retained will be retained in the future for at least two years.’
In fact the data retention laws include an obligation on service providers to ‘create’ data that falls within the data set to be retained, even if they do not currently collect or capture that data.
This isn’t nitpicking. The more data that is created, the more the scheme will cost, and the greater intrusion on privacy and risk of data breach.
Australian companies are not compelled to notify their customers if their privacy may have been compromised by a data breach. We’re still waiting to see the consultation on mandatory data breach notification laws which were promised to be introduced by the end of this year.
Who can access this data, and for what reason? The Australian stated in an editorial last month: ‘We have no quarrel with the law’s broad purpose to preserve metadata … so counter-terror agencies can prevent attacks and prosecute wrongdoers.’ But the truth is there aren’t any safeguards to limit the access and use of your retained data to preventing or investigating terrorism or other serious crimes.
Unlike the laws relating to intercepts or access to stored communications, there is no threshold of gravity of conduct, such as a ‘serious contravention’ of the law, that applies to access to telecommunications data by law enforcement agencies.
The long list of enforcement agencies that are permitted to access telecommunications data includes regulators such as ASIC and the ACCC, which certainly aren’t ‘counter-terrorism agencies’.
And the new data retention laws do not limit the very broad range of agencies that can apply to be added to this list. A parliamentary committee recommended in early September that the Australian Tax Office be added. Will Centrelink be next?
In the very narrow context of a request for data belonging to a journalist for the purpose of identifying a source, a ‘journalist information warrant’ is required. However this column by Richard Ackland and this interactive game by Nick Evershed raise serious concerns about the level of protection provided.
I believe telecommunications data can be a useful tool for law enforcement. But that is not the same as asserting that a mass data retention scheme is necessary, proportionate, or likely to be effective.
In Germany, which has had no mandatory data retention laws after its scheme was found to be unconstitutional, a 2011 studyfound that data retention had no impact on either the effectiveness of criminal investigations or the crime rate. Similarly, in 2013, the Privacy and Civil Liberties Oversight Board found that there is little evidence that the metadata program has made the US safer.
And at what cost? The government has said it will pay a ‘reasonable contribution’ towards the service providers’ up-front set up costs. Yet despite the looming start date, when and how this money will be allocated is still unknown.
We don’t know what costs will be passed on to customers. But we do know the costs will be significant. The figures provided by PwC were given to the government before the parliamentary committee’s recommendation that the data be encrypted, and do not include ongoing costs. We also know that the process of determining an estimate of costs was rushed, and many smaller players weren’t consulted.
Ultimately we’ll all pay — as tax payers, consumers and citizens.