The Data Retention Act – “fundamentally flawed”

By LAURIE PATTON | 20 March 2015

Despite concerns raised by civil society groups and others the House of Representatives has passed, with amendments, the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014.

This requires telcos and Internet Service Providers to store certain information (called “metadata”) for a period of two years. Metadata is essentially the information that reveals the parties to phone and email communications and other things such as the time and duration of a communication. It does not include the content of the communication.

When collected by law enforcement agencies this information will be analysed by sophisticated software using algorithms that have been developed over many years and shared by international security agencies. The output of this analysis will allow the agency to identify people or organisations of interest. The nature of that interest could be anything from terrorism to far less significant activities that might concern the authorities.

Once an individual or organisation has been identified and targeted for further investigation the agency can use a range of existing law enforcement practices to gain access to anything else they need to secure a conviction or to facilitate whatever other action they deem appropriate.

The Government and the Opposition both support the need for data retention. They cite advice from our law enforcement agencies and security services.

However, overseas there is a growing movement away from this form of government surveillance. The European Court of Justice recently overturned a ‘universal directive’ designed to harmonise data retention schemes in all EU member countries. The Court said “the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and the protection of personal data”. It argued that the benefits did not outweigh the risks.

When you look at high profile incidents such as Sydney’s Lindt Cafe hostage taking, the Charlie Hebdo attack or when British soldier Lee Rigby was hacked to death in 2013, there is one common factor. The perpetrators were already known to the authorities. They were not identified as the result of a data retention scheme. The Internet Society*has noted that the Bill has not been subjected to a cost/benefit analysis.

Another concern is the security of the metadata once collected. Speaking at an industry event this week, Telstra executive Mike Burgess observed that the scheme would create a “honeypot” of private information that could be actively targeted by cybercriminals.

The Parliamentary Joint Committee on Intelligence and Security (“PJCIS”) scrutinised the Bill and recommended 38 amendments, all which have been accepted by the Government and the Opposition. The amendments include removing the ability of the Attorney-General to unilaterally add to the list of agencies able to access metadata and placing the definition of the metadata (the “data set”) in the primary legislation rather than the Bill’s accompanying regulations, where it would be easier for the Government to make subsequent changes.

This week a belated campaign by media companies, supported by Labor, resulted in another amendment that will see a Public Interest Advocate (“PIA”) appointed to address concerns that the legislation will be used to search for the identify of journalists’ sources. Law enforcement agencies will be required to obtain a warrant to investigate journalists’ activities and the PIA will be able to argue that it is not in the public interest for a warrant to be granted.

The implications for journalists and their sources also apply to others. Lawyers, doctors, whistle-blowers and anyone running an issues-based campaign could be targeted. It is also arguable that trade unions could be targeted if they are engaged in industrial action.

Then there’s the cost. The Government has put a $400 million price tag on the scheme. Is that a one-off charge? It can’t be. The cost of having the data collected and retained will be ongoing. It will be passed on through higher phone and Internet charges or it will have to be borne by taxpayers.

The PJCIS recommended that the Government make a contribution to industry costs. This is still to be negotiated. The Internet Society has offered the Government its technical expertise to assist in designing a model delivering an effective and equitable outcome.

It is thought that there are between 250 and 400 ISP’s of varying sizes. Some are owned by large corporations with deep financial pockets but others are small businesses providing a competitive service but with limited financial resources. Unless the proposed Government funded financial assistance package is structured to take this into account we could see a reduction in the number of ISP’s as some simply go out of business.

The costs of operating the data retention scheme that will be incurred by the law enforcement agencies have not been revealed. They will be significant.

(Laurie Patton was CEO / Executive Director of Internet Australia, the NFP peak body representing the interests of Internet users from 2014-2017. This article first appeared in John Menadue’s “Pearls and Irritations“.)