The federal government’s mandatory data retention law is now in effect, although similar schemes have been ruled invalid in the European Union for contravening privacy.
Despite widespread criticism, the regime is now set to capture personal details such as phone numbers, email addresses, time and location of communications – but serious safeguards such as how the data will be stored and protected are missing.
Serious flaws in data retention regime
The government’s new data retention law requires telecommunication and internet providers to hold on to communications metadata for all customers for two years, but there are serious flaws in the scheme.
- The hastily introduced regime gives warrantless access to personal data to many government agencies while ISPs struggle to comply with the regime.
- Many ISPs have reportedly not had their plan for data retention approved by the Attorney-General’s department and smaller providers that cannot absorb the cost of the new scheme may end up broke.
- Confusion reigns because the legislation is unclear and leaves out overseas webmail services and many messaging apps.
- Consumer protections such as mandatory data breach legislation, which would require telcos to alert customers if personal information has been compromised, are missing. This important safeguard should have gone hand-in-hand with the data retention regime and the government had promised a law for a notification scheme would be introduced by the end of the year, but it is missing.
Who can access your digital data
Prior to the new legislation, law enforcement agencies could use targeted data preservation notices to request telcos and internet providers store communications by suspected criminals.
Under the new scheme, fewer agencies can access metadata, but many will have warrantless access to the private details of all telecommunications users. The list of agencies with access can be added to by the Attorney-General, and currently includes:
- federal, state and territory police
- Australian Security Intelligence Organisation (ASIO)
- Australian Crime Commission (ACC)
- Australian Border Force
- Australian Securities and Investments Commission (ASIC)
- Australian Competition and Consumer Commission (ACCC).
The government published an annual report on the number of requests for access to metadata in 2012–13. Some internet providers have also published information on what requests they’ve had for customer data. Telstra, for example, had almost 85,000 requests in the 2014 financial year.
What about privacy?
Personal data is protected by the Privacy Act, and the Privacy Commissioner will assess industry compliance with the Privacy Principles and privacy protection responsibilities under the Telecommunications Act. However, it will be four years before the scheme is formally reviewed by government yet the definition of data that can be collected is wide ranging and extensive.
The new regime aims to protect journalists’ metadata by requiring police and security agencies to seek a warrant to access metadata that may reveal sources. However, there are still questions about where the data will be stored – offshore or locally – and what oversight there’ll be of agency requests to see metadata.
Counting the cost of metadata
Metadata is a general term that covers details such as the time of a mobile phone call, a caller’s location or a computer’s internet protocol (IP) address, but it doesn’t come cheap and telcos, and therefore consumers, will pay.
- The Attorney-General claims that the scheme could cost in the order of $188 million to $319 million, according to estimates from PricewaterhouseCoopers.
- The government is spending more than $131 million in upfront capital costs for the scheme.
- The industry body Communications Alliance is concerned about the extra cost and says there’s a lot of information that can be retained, but only some will be useful for law enforcement.
- Some reports have suggested it could add up to $100 a year to the cost of phone and internet plans for consumers.
Critics of data retention scheme ignored
Critics such as privacy advocates and rights groups claim a data retention scheme isn’t needed and that it amounts to government overreach. The scheme has been criticised as passive mass surveillance that is open to scope creep.
Greens Senator Scott Ludlam has ridiculed the expensive regime which can be avoided with a VPN that “costs less than 15 cents a day, and ensures almost any data trail you leave is invisible to the scheme,” he said in a statement. “While implementation is both complex and costly to taxpayers and ISPs, the scheme is almost trivially easy to bypass for anyone motivated to do so. And there is no evidence – none – that these kinds of mass surveillance regimes have improved clearance rates for law enforcement or stopped the kinds of attacks that were supposedly the reason for the scheme being introduced.”
The Australian Communications Consumer Action Network published a report that found there was little evidence to support the claims of law enforcement agencies about the need for a mandatory metadata regime.
The Office of the Australian Information Commissioner had raised several serious concerns about the proposed scheme. It said that retaining large amounts of data, which could be defined as ‘personal information’, has implications for privacy laws. The office has also revealed concerns about potential data breaches if the personal information is stored for long periods of time.
Not all internet providers and telcos are happy about the scheme. Optus reportedly said the scheme could cost anywhere from $30m to more than $200m, depending on its scope, and that it may not retain the data that law enforcement agencies are interested in. iiNet has been opposed to a mandatory scheme for mass collection and storage of data on online, digital and telephone activity for third parties.
Online rights group Electronic Frontiers Australia has said it’s a violation of privacy and that policing and anti-terrorism agencies already have sufficient powers to gain metadata for investigating suspects. It slammed the scheme as “rushed, costly, ineffective, and against the public interest”. It said the legislation will capture the data of innocent Australians and cost millions of dollars, while allowing those who don’t want to be caught to remain hidden via numerous loopholes which could be used to evade the scheme.
When first mooted, the government’s plan was light on details and the industry consultation paper was only circulated to some internet service providers. The public got little detail from the government, having to rely on the industry paper that was leaked online last year.
Who supports data retention?
The government claims data retention is needed to combat terrorism as well as general crime. However, data from Australia and around the world shows that metadata is more often used in criminal cases, and rarely to investigate terrorism.
Law enforcement and surveillance agencies support mandatory metadata retention. Some internet providers are in favour of the scheme, with Telstra reportedly saying it already stores a lot of customer data and doesn’t see it as a real problem.
Australia in company with Mexico on data retention
Australia has come late to the data retention party and is now already the odd one out. In many countries, data retention regimes are being annulled and resisted on the grounds that they can compromise privacy and the rights of individuals.
The European Union has had a data retention regime since 2006, although it was recently ruled invalid by the European Court of Justice because of privacy concerns. The court found that the data could be used to identify people, and their location and movements.
Who has mandatory data retention?
The Electronic Frontiers Foundation publishes a list of countries with mandatory data retention laws.
Argentina: Data retention scheme ruled unconstitutional and annulled because it compromised privacy.
Brazil: Data retention bill was proposed, but prevented by public campaigns.
Czech Republic: Data retention law ruled unconstitutional and ISP obligations were cancelled.
Europe: Law under review in Hungary and Finland and being fought in Greece. Declared unconstitutional in Bulgaria, Cyprus, Germany and Romania. Resisted in Sweden and Slovakia. Poland has a scheme that goes beyond the EU parameters.
Mexico: Recently established a data retention scheme.
US: No scheme, but communications law can be used to compel providers to preserve data on government request.
Protect your metadata
If you want to protect your privacy online, there are some tools and apps that will help.
- Use a VPN to protect data on your network
- Secure messaging apps such as Signal for iPhone users. Android users need to use two apps for similar functionality – TextSecure for texting and RedPhone for voice calls (both available on Google Play Store).
- Anonymous browsing using Tor.
- File and email encryption.
What is metadata?
To understand what the government is proposing, it’s necessary to first understand metadata. Internet and telecommunications metadata is top-level information about an email, social media post, phone call or website visit.
Each and every time an electronic/digital piece of communication is sent, it creates data about when, where, how, what, from where and to whom it was sent. Metadata doesn’t relate to the content of the communication, so the body of an email, the details of a text message, all the content on a webpage and phone conversations are not considered metadata.
However, metadata gives away a great deal of information and insight into the communications, which is why law enforcement agencies want it stored. The new laws require a broad list of information to be stored and the Attorney-General may add to this list in the future.
Metadata can include:
- IP (computer’s) address
- Time of day
- Website URL
- To and from email addresses
- Length of phone calls or internet sessions
- Application used to go online
source : https://www.choice.com.au/electronics-and-technology/internet/internet-privacy-and-safety/articles/mandatory-data-retention-regime-on-its-way Author – Ros Page