Data Retention – An Act of blindness

One day a rooster, the next day a feather duster!

By LAURIE PATTON | 30 October 2020

Shortly after joining Internet Australia as CEO in 2014 I fronted the Parliamentary Joint Committee on Security and Intelligence (PJCIS) to make a submission on the subsequently enacted Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015. I boldly told the committee that the draft Bill before the Parliament was “fundamentally flawed” and had clearly been written by lawyers who didn’t understand how the Internet actually works.

One of the then committee members, Philip Ruddock, challenged me to provide evidence, which was subsequently delivered in a confidential supplementary submission. As a result the committee made 29 recommendations for amendments to the Bill. The most important of these was a proposal for the PJCIS to undertake a review of the scheme after three years.

This week the PJCIS released its report on that review – making 22 recommendations that, if accepted, would lead to increased transparency, raise the threshold for when data can be accessed, and reduce overall access to our private data.

According to committee chair Andrew Hastie, a Coalition MP: “Our recommendations are aimed at improving mandatory data retention in a way that does not have a great effect on law enforcement and ASIO’s ability to do their very important work”.

Nevertheless, the report focusses attention on the very flaws that Internet Australia noted years ago. And it follows too many reports of the “mission creep“ we warned about – not to mention downright unlawful use of people’s metadata not intended by the Parliament.

The PJCIS slammed a loophole whereby a range of unintended organisations have accessed people’s data, saying it was of “considerable concern”. It also recommended that while warrantless access should continue this should be restricted to a smaller number of agencies.

When I addressed the PJCIS in 2014 I noted that international experience has not found data retention schemes to have had much effect. Furthermore, during the limited public debate at that time certain high profile individuals (remember Malcolm Turnbull?) took to the media to explain the many ways determined wrongdoers could easily bypass the long arm of the data retention law.

Unfortunately, as is the way with these things, the Government did not put its mind to the more difficult question of how to deal with the serious drafting issues we warned them about. Then, nor did the Attorney General’s Department.

While the recommendations made in this week’s report are to be applauded they do not fully address all the issues concerning civil liberties groups and IT experts.

Also appearing before the PJCIS hearing back in 2014, a senior Telstra executive warned that we would be creating “honeypots” – large masses of private and confidential data that would be very enticing to hackers. Any large repository of confidential data is a potential hacking target.

The journalists union, the MEAA, raised its fear that the legislation would be used to identify sources, pointing to the important role that “whistle blowers” often play. At the last minute the media companies secured what some thought was a form of protection. Before they can use a journalist’s data law enforcement agencies must seek a court warrant. However, it is arguable that by the time they’ve trawled through the honeypots and subsequently discovered that the data belongs to a journalist they will have enough prima facie evidence to justify a warrant.

The history of the Data Retention Act provides a spectacular case study in how not to introduce complex legislation. It is a classic example of a badly designed law that was rushed through the Parliament in the dubious belief that urgency was justified and would not impede the efficient implementation of a new regulatory regime. This haste in the design and implementation ensured that unforeseen problems would ensue.

Commonwealth Ombudsman, Michael Manthorpe, found that ambiguity in Australia’s data retention regime means that on some occasions law enforcement agencies were able to obtain details of an individual’s web browsing history without a warrant, as required under the Act. Mr Manthorpe had appeared before the PJCIS inquiry that led to this week’s report

In its submission to the PJCIS inquiry the Australian Human Rights Commission argued for a reduction in the retention period from two years to a period of under six months. This is not one of its recommendations.

No doubt when those more expert than me have considered this latest review we will be in a better position to determine whether or not the scheme is still fundamentally flawed.

(Laurie Patton is a former CEO / Executive Director of Internet Australia, the NFP peak body representing the interests of Internet users, and until this week the Vice President of TelSoc.)