Law in the Internet Society

View   r3  >  r2  ...
GillianWhiteSecondPaper 3 - 13 Jan 2013 - Main.GillianWhite
Line: 1 to 1
 
META TOPICPARENT name="SecondPaper"
Changed:
<
<

Mandatory data retention in Australia: a case study of a (further) proposed assault on privacy

-- By GillianWhite - 14 Nov 2012

>
>

Mandatory data retention in Australia: will this proposed assault on privacy come to pass?

 

1. The proposal

Changed:
<
<
In May 2012, the Australian Government announced an inquiry into potential reforms to national security legislation. The asserted basis was that Australia needs to ‘ensure our national security capability can evolve to meet emerging threats, while also delivering the right checks and balances ….’ One proposed reform is a mandatory data retention law. The data retention proposal is vaguely described in the Government’s discussion paper as ‘[a]pplying tailored data retention periods for up to 2 years for parts of a data set, with specific time-frames taking into account agency priorities, and privacy and cost impacts.’ This proposal has alarmed many and led the Attorney-General to provide further information on the Government’s position in a letter to the Parliamentary Committee considering the reforms. This letter makes it clear that the proposal’s inspiration is the highly controversial EU Directive on mandatory data retention.

The EU Directive obliges providers of ‘publicly available electronic communications services or of public communications networks’ to retain certain data for criminal investigations. The objective applies to ‘traffic and location data … and to the related data necessary to identify the subscriber or registered user. It shall not apply to the content of electronic communications…’

>
>
In May 2012, the Australian Government announcedan inquiry into further potential reforms to national security legislation, including a mandatory data retention scheme. The data retention proposal is vaguely described in the Government’s discussion paper as ‘[a]pplying tailored data retention periods for up to 2 years for parts of a data set, with specific time-frames taking into account agency priorities, and privacy and cost impacts.’
 
Changed:
<
<
In the rest of this paper, I will analyze how the Australian proposal (like the EU directive) presents a significant, further threat to the three elements of privacy that have been discussed in our course: anonymity; secrecy and autonomy. I will also discuss some broader ramifications.
>
>
In this course, we have discussed how privacy can be understood to encompass three elements: anonymity, secrecy and autonomy. We have also discussed the intersection between the actions that governments and the private sector can undertake to undermine privacy. A mandatory data retention scheme provides a clear example of how privacy can be undermined and how the government can co-opt the private sector to do this surveillance work(cheaply) for it.
 
Changed:
<
<

2. Undermining anonymity, secrecy and autonomy

>
>
Mandatory data retention laws ensure that every person’s anonymity is compromised by ISPs and phone carriers even when the government never requests this information. Such laws also compromise the secrecy of private communications. There will be ‘fuzzy’ lines to draw as to what constitutes ‘content’ (requiring a warrant) and what is meta-data (requiring no warrant) and which ISPs would hold at the government’s behest. This fuzziness has been made clear in recent Senate estimates hearings where officials argued that URLs did not fall within their ‘working definition’of meta-data, despite previous contradictory statements. A mandatory data scheme would also be a significant blow to Australians’ autonomy to live their lives without the knowledge that they are being watched.
 
Changed:
<
<
A mandatory data retention scheme will undermine anonymity on the net for all Australians and all those communicating with Australians. As explained by the Electronic Frontier Foundation, the central tenet of data retention schemes is that ISPs, telephony providers etc are obliged to keep data including the records of IP address allocations to individuals and must, on request, give the government access to these data. This means that every person’s anonymity will be compromised by ISPs and phone carriers even where the government never requests this information: not only will that compromise be permitted, it will be legally required. Several industry players and civil liberty groups have raised the legitimate concern that mandated data retention may increase security risks for personal data, as each ISP will have to retain central repositories for lengthy periods of time (up to two years). Furthermore, there is no suggestion that officials’ requests for this information will require a warrant and so it is inevitable that government’s access will be over-inclusive (in terms of disregarding more individuals’ autonomy) than could feasibly be required for serious criminal investigations.
>
>
In the rest of this revised paper, I comment on the political opportunities to prevent or stall a mandatory data retention scheme in Australia and whether there are plausible legal responses if it does go ahead. Like all issues in a globalized world, I believe that there is something to be said about how issues play out in different national contexts, as well as about how Australia’s experience relates to geo-political realities.
 
Changed:
<
<
The Attorney-General and the security apparatus in Australia have argued that a mandatory data scheme would not apply to the content of communications and, when pressed, have said that web-browsing history is content. However, it is clear that a mandatory retention law compromises the secrecy of private communications for anyone not using encryption technology. There will be ‘fuzzy’ lines to draw as to what constitutes ‘content’. That fuzziness may chill communications. Additionally, the distinction between ‘meta data’ and content data is the kind of legal nicety that does not fit with the technological reality. Reports on the wide-ranging retention and use of location tracking data, which were graphically illustrated by German politician, Malte Spitz, provide real life examples which are difficult to refute.
>
>

2. Political and legal responses

 
Changed:
<
<
Finally, a mandatory data scheme would be a significant (but hardly discussed) blow to Australians’ autonomy to live their lives without the knowledge, or the suspicion, that they are being watched. This will almost certainly not be a focus of the political debate—even though there are cries of ‘police state’—as Australians generally have no direct experience of widespread government surveillance. Further, Australia does not have a bill of rights and has not adopted the US concept of privacy-as-autonomy. It remains to be seen whether the holding of private information by both private companies and the government, as a matter of course, will awake more people from this complacency
>
>
The good news is that the consultation and parliamentary committee process may result in data retention being put on the political back-burner. An election is likely to be called around August 2013, and since there is no draft legislation, it is unlikely to be an issue that the minority Labor Government will want to push through just prior to an election. Leaks suggest a number of conservative (Liberal party) parliamentarians oppose? " target="_top">http://www.theaustralian.com.au/national-affairs/coalition-mps-hit-out-against-data-retention/story-fn59niix-1226471898912][oppose]] the idea.
 
Changed:
<
<

3. Further implications

>
>
Interestingly, there are opportunities for unusual coalitions to coalesce against any draft law. The broadly ‘left wing’ [http://www.aph.gov.au/Parliamentary_Business/Committees/House_of_Representatives_Committees?url=pjcis/nsl2012/subs/sub146.pdf] [Greens]] party, the GetUpadvocacy group (grassroots leftish lobbyists) and lawyers have made their human rights concerns clear. However, it is only in combination with industry’s arguments that the government has not thought through the implications of data retention that this dissent could have real political bite.
 
Changed:
<
<
It is unclear whether the Australian Government will follow through with a mandatory data retention law. The EU precedent, the claims that this is a terrorism and crime-busting measure like the US FISA Amendment Acts 2008, and the absence of a constitutional right to privacy, suggest that it has a very strong chance of being enacted. The Government earlier this year passed a law enabling agencies to provide foreign law enforcement agencies with existing and prospective telecommunications data held or generated in Australia, ahead of a warrant being issued. An Australian data retention law would furnish another precedent for lawmakers, not only in Australia but also around the world, demonstrating how to require everyone’s information to be held, not just the information of those implicated in alleged crime.
>
>
Industry’s argument is that data retention will be costly and, if the government doesn’t directly pay, then this will be passed onto the consumer. Perhaps a campaign that your internet costs will increase because the government wants to spy on you could work political wonders? This line could see an unlikely, but potent, coalition between Greens and conservatives, which could be enough to kill the law.
 
Changed:
<
<
Reflecting on our class’s discussions of private entities use of information, I think it is noteworthy that the policy analysis in Australia has not taken into account what kind of private actor behavior such a law will encourage. We already know that companies are collecting clients’ data to track consumers, target advertising and trade information with others. If government mandates the collection and retention of this information, it is likely that more players will come along to this information-collection-party. Some ISPs in Australia have complained that it will be costly for them to retain all this information. Even assuming that the costs are great (which may be doubted), it is not difficult to see an ever-increasing alignment between the government’s requirements and a commercial interest in retaining and using that information for other purposes as well. A law which directly allows both private actors and the government to undermine all citizens’ privacy is arguably never justifiable. This should not be obscured by generic claims of ‘national interest’.
>
>
Industry has also argued that there are security risks associated with mass storage. To underscore this concern, it is alleged that ‘Anonymous’ hacked an ISP’s data to demonstrate these security risks. This is a controversial tactic, but it is something that industry has seized on in parliamentary inquiry submissions about the untold risks of data retention.
 
Changed:
<
<
>
>
Although there is potential for coordinated dissent to hinder this policy, the introduction of some form of mandatory data retention over the medium term appears a real risk. Government could introduce a similar scheme in the future – saying the issues were of detail, not substance. Australia is always keen to align itself with the national security priorities of the US and other Western nations. This issue is no exception. Australia has shown a willingness to cooperate with other nations to provide collected data. In 2012, Australia ratified the Council of Europe’s Convention on CyberCrime? and passed a law enabling agencies to provide foreign law enforcement agencies with existing and prospective telecommunications data held or generated in Australia, ahead of a warrant. We cannot assume that information will only be provided to democratic nations, or for purposes that Australian citizens would condone. It is hard to find any moral high-ground about China spying on its citizens, when countries like Australia continue to remove all the road-blocks from this occurring in their own nation and enshrine laws to provide this information to other nations.
 
Changed:
<
<
As the text itself makes clear, this draft contains nothing except the word "Australia" that hasn't already been written about endlessly. That the Gillard Government is playing the usual supine Eye-5 role, taking directly whatever orders are issued by the US "intelligence community," and calling them the "national security" of (white) Australia could have been covered in a paragraph. The rest is cribbed from EFF in the US and the objections of Europeans to the "European" directive.
>
>
Unfortunately, if mandatory data retention is introduced, there is no reasonably arguable legal ground for challenging the laws. Laws are not invalid merely because they conflict with Australia’s international obligations. Australia has no express or implied constitutional rights to privacy, or to be free from search and seizure which is either unreasonable or not authorized by warrant.
 
Changed:
<
<
I will be teaching an entire course on this subject next term; if this were all there were to say on the subject, the course wouldn't last an afternoon. But you neither present any Australian legal arguments against the effort, nor distinguish in any way the situation prevailing there from the situations prevailing elsewhere. You don't analytically explain "data retention" as pervasive government listening on the cheap, paid for by private parties acting at their own expense as government spies. You don't explain either what citizens can do or what they can't do in light of the initiatives they are watching unfold before their eyes, or how the political coalitions might be built to interfere with the politics you don't discuss. Most tellingly, though you are nominally writing about Australia, you don't explain how this moves Canberra closer to Beijing, rather than only to Washington. This, which is the single most important and least politically predictable part of the entire story, might as well be proceeding on Mars for all that your reader learns about it at your hands.
>
>
The Constitution does protect a limited freedom of political speech. It may be possible to construct an argument that data retention could be invalid as applied to political information. The difficulty is that the constitutional freedom only applies to invalidate laws which impose an “effective burden” on political communication. The High Court has only ever found this standard to be met by laws which prohibit speech: it has not held that laws which are likely to chill speech or which compel speech meet this standard. Even if the regime imposes an effective burden on political communication, the Court has given the government great leeway to burden speech in pursuit of legitimate end and claims that the laws advance national security would carry great weight.
 
Deleted:
<
<
 \ No newline at end of file
Added:
>
>
Trying to stop this law being passed in the first place, or self-help through encryption and other technologies, appear to be the best options in an Australian context.

Revision 3r3 - 13 Jan 2013 - 21:00:07 - GillianWhite
Revision 2r2 - 14 Dec 2012 - 19:32:10 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM