Law in the Internet Society

Mandatory data retention in Australia: a case study of a (further) proposed assault on privacy

-- By GillianWhite - 14 Nov 2012

1. The proposal

In May 2012, the Australian Government announced an inquiry into potential reforms to national security legislation. The asserted basis was that Australia needs to ‘ensure our national security capability can evolve to meet emerging threats, while also delivering the right checks and balances ….’ One proposed reform is a mandatory data retention law. The data retention proposal is vaguely described in the Government’s discussion paper as ‘[a]pplying tailored data retention periods for up to 2 years for parts of a data set, with specific time-frames taking into account agency priorities, and privacy and cost impacts.’ This proposal has alarmed many and led the Attorney-General to provide further information on the Government’s position in a letter to the Parliamentary Committee considering the reforms. This letter makes it clear that the proposal’s inspiration is the highly controversial EU Directive on mandatory data retention.

The EU Directive obliges providers of ‘publicly available electronic communications services or of public communications networks’ to retain certain data for criminal investigations. The objective applies to ‘traffic and location data … and to the related data necessary to identify the subscriber or registered user. It shall not apply to the content of electronic communications…’

In the rest of this paper, I will analyze how the Australian proposal (like the EU directive) presents a significant, further threat to the three elements of privacy that have been discussed in our course: anonymity; secrecy and autonomy. I will also discuss some broader ramifications.

2. Undermining anonymity, secrecy and autonomy

A mandatory data retention scheme will undermine anonymity on the net for all Australians and all those communicating with Australians. As explained by the Electronic Frontier Foundation, the central tenet of data retention schemes is that ISPs, telephony providers etc are obliged to keep data including the records of IP address allocations to individuals and must, on request, give the government access to these data. This means that every person’s anonymity will be compromised by ISPs and phone carriers even where the government never requests this information: not only will that compromise be permitted, it will be legally required. Several industry players and civil liberty groups have raised the legitimate concern that mandated data retention may increase security risks for personal data, as each ISP will have to retain central repositories for lengthy periods of time (up to two years). Furthermore, there is no suggestion that officials’ requests for this information will require a warrant and so it is inevitable that government’s access will be over-inclusive (in terms of disregarding more individuals’ autonomy) than could feasibly be required for serious criminal investigations.

The Attorney-General and the security apparatus in Australia have argued that a mandatory data scheme would not apply to the content of communications and, when pressed, have said that web-browsing history is content. However, it is clear that a mandatory retention law compromises the secrecy of private communications for anyone not using encryption technology. There will be ‘fuzzy’ lines to draw as to what constitutes ‘content’. That fuzziness may chill communications. Additionally, the distinction between ‘meta data’ and content data is the kind of legal nicety that does not fit with the technological reality. Reports on the wide-ranging retention and use of location tracking data, which were graphically illustrated by German politician, Malte Spitz, provide real life examples which are difficult to refute.

Finally, a mandatory data scheme would be a significant (but hardly discussed) blow to Australians’ autonomy to live their lives without the knowledge, or the suspicion, that they are being watched. This will almost certainly not be a focus of the political debate—even though there are cries of ‘police state’—as Australians generally have no direct experience of widespread government surveillance. Further, Australia does not have a bill of rights and has not adopted the US concept of privacy-as-autonomy. It remains to be seen whether the holding of private information by both private companies and the government, as a matter of course, will awake more people from this complacency

3. Further implications

It is unclear whether the Australian Government will follow through with a mandatory data retention law. The EU precedent, the claims that this is a terrorism and crime-busting measure like the US FISA Amendment Acts 2008, and the absence of a constitutional right to privacy, suggest that it has a very strong chance of being enacted. The Government earlier this year passed a law enabling agencies to provide foreign law enforcement agencies with existing and prospective telecommunications data held or generated in Australia, ahead of a warrant being issued. An Australian data retention law would furnish another precedent for lawmakers, not only in Australia but also around the world, demonstrating how to require everyone’s information to be held, not just the information of those implicated in alleged crime.

Reflecting on our class’s discussions of private entities use of information, I think it is noteworthy that the policy analysis in Australia has not taken into account what kind of private actor behavior such a law will encourage. We already know that companies are collecting clients’ data to track consumers, target advertising and trade information with others. If government mandates the collection and retention of this information, it is likely that more players will come along to this information-collection-party. Some ISPs in Australia have complained that it will be costly for them to retain all this information. Even assuming that the costs are great (which may be doubted), it is not difficult to see an ever-increasing alignment between the government’s requirements and a commercial interest in retaining and using that information for other purposes as well. A law which directly allows both private actors and the government to undermine all citizens’ privacy is arguably never justifiable. This should not be obscured by generic claims of ‘national interest’.

As the text itself makes clear, this draft contains nothing except the word "Australia" that hasn't already been written about endlessly. That the Gillard Government is playing the usual supine Eye-5 role, taking directly whatever orders are issued by the US "intelligence community," and calling them the "national security" of (white) Australia could have been covered in a paragraph. The rest is cribbed from EFF in the US and the objections of Europeans to the "European" directive.

I will be teaching an entire course on this subject next term; if this were all there were to say on the subject, the course wouldn't last an afternoon. But you neither present any Australian legal arguments against the effort, nor distinguish in any way the situation prevailing there from the situations prevailing elsewhere. You don't analytically explain "data retention" as pervasive government listening on the cheap, paid for by private parties acting at their own expense as government spies. You don't explain either what citizens can do or what they can't do in light of the initiatives they are watching unfold before their eyes, or how the political coalitions might be built to interfere with the politics you don't discuss. Most tellingly, though you are nominally writing about Australia, you don't explain how this moves Canberra closer to Beijing, rather than only to Washington. This, which is the single most important and least politically predictable part of the entire story, might as well be proceeding on Mars for all that your reader learns about it at your hands.


Webs Webs

r2 - 14 Dec 2012 - 19:32:10 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM