The media’s attention this past week turned to the 61 “fringe agencies” trying to get access to our metadata. Many have missed the point that when Parliament passed the Data Retention Act the Government heralded the fact that it had cut the list of those able to access our private and personal information to the bare minimum. Most of the agencies asking to be added to the list now are precisely the ones that Senator Brandis told us didn’t have sufficient justification, even though they’d historically had unfettered access.
If any of these agencies, that include the RSPCA, local councils and racing authorities, really need any of this stored data they can go via the Federal Police, or their local police force. Provided that they are investigating a criminal offence and a genuine need can be established they should have no difficulty getting the assistance they require.
The Data Retention Act is supposed to ensure that authorised agencies have proper internal controls over who can access the data and under what conditions. The selection of those agencies needs to include an ongoing assessment of their ability to create and maintain the necessary security systems.
The risk for the Government is that if they allow any addition to the list they will generate another round of condemnation from the many civil society and technical groups that remain implacably opposed to data retention.
The bigger issue with the data retention scheme remains the fact that it will require somewhere around $300/400M in establishment costs (according to industry estimates and PwC) and who knows how much in ongoing compliance for the hundreds of ISP’s involved. The Government has only allocated $128M in set-up funding and nothing in recurrent support. So we will inevitably all end up paying more for our Internet services, including and especially industry. We could even see smaller ISP’s shutting up shop, especially in regional areas where they provide personal service not available via the large telcos.
Then there are the security risks. Telstra has warned of the danger of creating what are termed honey pots – that is, large collections of data which will be a great temptation to hackers around the world. The longer the retention period the more data that has to be held (we’ve gone for two years, whereas six to 12 months is where much of the world has settled). The more data stored the greater the risk of a security breach.
Many things in life come down to balancing risks. Nowhere in the world has there been conclusive evidence provided that data retention helps in the fight against terrorism, which was the Government’s rationale for this law. There is evidence that data retention can help with general crime detection. So the two questions we must ask are these; is the reward worth the risk and are we happy for access to our metadata to be available without a warrant? Sadly, little or no time was given to analysing these questions before the law came into effect – especially in the public arena. It’s not too late to revisit the question. Internet Australia has asked the Government to bring forward a review by the Parliamentary Joint Committee on Intelligence and Security, scheduled for 2018.
Internet Australia has also highlighted the confusion facing ISP’s as a result of what it told the PJCIS in 2014 was “fundamentally flawed” legislation clearly written by lawyers who don’t understand how the Internet works. The Act took effect from October last year. Telstra told the Attorney General’s Department that it needs more time to sort out its compliance systems and has been granted an eighteen months extension. Industry intelligence suggests that hundreds of other ISP’s are likewise still trying to work out what to do. If more follow Telstra and ask for extra time to comply it could conceivably turn out to be more than two years from the time the Bill was introduced into Parliament and the date at which the scheme is actually operable. So much for urgency.
Law enforcement agencies had sought data retention powers for the better part of a decade or longer. However, successive AG’s from both sides put the issue in the too hard basket. Senator Brandis had no choice but to follow the instructions of Prime Minister Abbott who ignored complaints from civil society groups around privacy protection issues, and the evidence from security experts that they just won’t work as a weapon against tech-savvy terrorists.
It remains to be seen if Prime Minister Turnbull will eventually instruct his first law officer to rethink things. When he was Communications Minister he gave the appearance that he understood the issues and wasn’t convinced.
Oh, and did I mention that he went on television and told everyone how easy it is to find a way around the Data Retention Act anyway?
Laurie Patton is CEO Internet Australia.