It’s no secret that I’m something of a freedom/privacy advocate with this blog’s origins being traced directly to the No Clean Feed movement that started back in 2008. Thankfully I haven’t had to rattle that cage for a long time thanks to the policy being so unbelievably toxic that, whilst it hasn’t been officially killed, has been buried so deep that it should only rear its head again during a future zombie apocalypse. However that doesn’t mean that there hasn’t been other transgressions against our privacy or freedom in recent times however and one such incident is the data retention plan that was mentioned in the “EQUIPPING AUSTRALIA AGAINST EMERGING AND EVOLVING THREATS” discussion paper that was released a few months ago.
I’ve been asked a couple times why I’ve been silent on this particular issue given that it’s on a pretty similar level to the Clean Feed was back in the day and the honest answer was I thought the current media coverage was doing a pretty good job of tearing it apart and I wouldn’t be adding anything meaningful to the discussion. However since the coverage ramped up over the past few weeks I’d been hearing conflicting reports over what the paper actually said, what the clarifications where and what policy based off it would probably look like. After not being able to find much actual analysis on it (mostly just reactions to the paper) I decided that it was high time for me to read through the whole thing and make up my mind for myself.
All 60, enthralling pages of it.
For the most part the discussion paper is pretty mundane sort of stuff, setting up the case for why changes in legislation and increases in governmental powers are required due to technology changing the landscape which ASIO, ASIS and the Australian police forces operate in. Many of the provisions discussed in the paper are expansions of their powers and protections which would make it easier for them to gather evidence and are not straight up translations of old legislation into the technological age. However there’s also some suggested increases in privacy protections as well as the removal of interception powers from some agencies which kind of counter-acts the various increases. Most analyses I’ve read don’t seem to mention this and seem to focus on a particular line that appears twice in the report with very little else around it.
The line in question appears on pages 10 and 13 in the report (in reference to Modernising the Industry Assistance Framework) and reads:
…tailored data retention periods for up to 2 years for parts of a data set, with specific timeframes taking into account agency priorities and privacy and cost impacts.
Taken at face value this suggest that the government is seeking comments on how a data retention policy like this could be implemented in order to help facilitate investigations undertaken by interception agencies. Now there’s literally nothing more on it other than that so the claims that the government wants to mandate that all ISPs retain all your data for 2 years are largely unfounded but such an idea would fit into the description they’ve laid out. Indeed since there’s no other information in the discussion paper about a retention policy any conclusions we draw are purely speculative but there have been some clarifications since its publication which provide a bit more insight into what a data retention policy might end up looking like.
In her clarification video Nicola Roxon states that they’re simply seeking an extension of the current policy which allows law enforcement to acquire the metadata, but not the content, of Internet communications of a person they’re investigating. The issue that most people take here (and so do I after researching this) is that there’s no clear definition of what constitutes metadata, either in the discussion paper itself or anywhere else in Australian law. Clarifying that definition (which has been happening behind the scenes recently) would go a long way to alleviating the concerns that many have raised. I’m still not entirely ok with the idea of storing it for 2 years but if the definition is clarified and the scope limited in a similar fashion to the way it already is for phone calls then I won’t have as much of an issue with it as I do currently.
There was also some talk of law enforcement requiring you to hand over your social networking passwords which I couldn’t find any evidence for. There was a paragraph or two talking about the exemptions for social networks and cloud providers which was seen as a potential weak spot in the proposed reforms however there was no mention of establishing laws to compel people to reveal passwords should they come under investigation. Indeed I believe the current law already covers this off succinctly and all major social networks have been compliant in the past. The line “establish an offence for failure to assist in the decryption of communications” could be construed as requiring you to hand over passwords in order to decrypt volumes which does feel like a violation of self incrimination rights however but I believe there’s no precedent set on that yet. I certainly don’t agree with it, however.
Whilst the ideas that are mentioned in the paper have potentially devastating consequences the reaction to them has been largely overblown. Sure there are interpretations that fall under that definition but there are also others which would make such policies largely benign, especially if you’re ok with the current provisions granted to law enforcement agencies. Clarification is the key here though and that job falls to the Parliamentary Joint Committee on Intelligence and Security who this discussion paper was submitted to. If they do it right many of these concerns will be addressed. If they don’t then I’ll be right along side everyone else, fighting to get the legislation killed before it sees the light of day.
Honestly I feel like the reaction to this paper has been largely overblown fuelled by the passionate, but sometimes over-zealous, individuals at GetUp who have oversold what the potential legislation based off this discussion paper might be capable of. That’s an awful lot of speculation and whilst I don’t like the potential that it represents I’m not about to jump to conclusions until a final policy is tabled in parliament. Once that happens, and should my concerns not be addressed, I’ll do what every Australian should do in that case: write to your representative detailing your concerns. I agree that clarification is required but I don’t believe that warrants stirring up the shit storm that’s been done so far, especially when you take liberal interpretations of it one way and don’t consider the other.