[LINK] Crikey: The Wholesale Abuse of the Data Retention Scheme
Roger Clarke
Roger.Clarke at xamax.com.au
Tue Feb 25 21:59:38 AEDT 2020
[Crikey needs ongoing support, if only to keep Bernard Keane doing what
he does.]
Data retention scheme is being abused exactly as critics predicted
A review of the Abbott government's data retention scheme has shown it
is being widely abused by scores of bodies around the country.
BERNARD KEANE
Crikey
FEB 25, 2020
https://www.crikey.com.au/2020/02/25/data-retention-scheme-abuse/
A review of the mass surveillance scheme established by the Abbott
government six years ago has revealed how it is being widely abused in
ways voters were assured would never happen.
The government’s data retention regime, which compels communications
providers to retain personal information on service use by customers for
two years, is currently the subject of a statutory review by the
Parliamentary Joint Committee on Intelligence and Security.
When the Abbott government introduced the scheme in 2014, it assured
Australians that the unprecedented level of surveillance of their
communications metadata — which can be used to construct a detailed
portrait of an individual’s life beyond that provided by any content
they may use — would be subject to strict controls.
Its use would be limited to serious offences and a small number of
security agencies — just 22 across the state and federal governments.
Those commitments have turned out to be false.
Telecommunications companies and the Communications Alliance, the body
representing most telecommunications providers in Australia, made
submissions to the committee last year that scores of bodies other than
the 22 security agencies specified in the data retention legislation
were routinely seeking retained data.
According to the Communications Alliance, bodies such as local councils,
the Victorian racing integrity regulator, taxi bodies, a vet body and
anti-dumping agencies have used a loophole under which they are able to
request retained data from telecommunications providers, via s.280 of
the Telecommunications Act.
In evidence to the committee earlier this month, the Communications
Alliance went further, explaining “when agencies outside the 22 CLEAs
make data requests … those requests can be imprecise. Sometimes these
agencies don’t know exactly what they’re looking for or what they’re
trying to find. Often they also have difficulty interpreting the data
that they receive, come back to the service provider and try to work
their way through it.”
This has also led to the content of communications such as the URLs
users are accessing being disclosed by providers, in direct defiance of
the intended limitation of data retention to metadata only.
Then-attorney-general George Brandis notoriously made a fool of himself
trying to explain that the scheme would be strictly confined to metadata
rather than content such as URLs, but according to Christiane
Gillespie-Jones of the Communications Alliance, URLs are “sometimes, but
not always by far, being provided by providers because of the difficulty
of separating out specific data points. I suspect that the same might be
the case with location data.”
Gillespie-Jones also told the committee retained data was being obtained
for civil court proceedings, yet again in defiance of the purported
limitation of data retention for serious criminal offences.
Data that would otherwise be deleted, but which is now being retained at
the request of security agencies, is being caught by other provisions of
telecommunications legislation, and processes such as court subpoenas,
and dragged into activities voters were assured it would never be used in.
At a previous hearing, staff of the Commonwealth Ombudsman told the
committee they were also aware of over 100 instances of information
being incorrectly provided to security agencies in 2017-18, including
over 40 cases of information for the wrong period being provided and 13
cases of data not asked for.
The Ombudsman’s office also argued that it was straightforward for
security agencies to evade the requirements of the “journalist
information warrant” process, intended to provide an extra hurdle when
agencies want to obtain metadata to identify a journalist’s sources:
If an agency has a sense of who the source might be, they can get an
internal authorisation to access the potential source’s data and, in so
doing, identify those phone numbers and so forth that the potential
source was communicating with, and it may turn out that one of those is
the journalist. And so there is a way in which the journalist’s source
is identified but without accessing a journalist information warrant.
Security agencies are also routinely keeping data indefinitely
(something not prohibited by the data retention laws) enabling them to
connect data from different requests and thus assemble a richly detailed
portrait of individuals.
Each new request potentially adds further layers and connections to
existing data on targets such as whistleblowers, journalists, lawyers —
some of the recent targets of the Australian Federal Police and ASIO.
Data retention critics repeatedly warned that each of these outcomes
would inevitably result from such a scheme: that retaining user data
would prove an irresistible honeypot for non-security agencies, that
mission creep would mean the scheme would stop being about “the most
serious criminal offences” and start being about parking fines and
rubbish bins.
They warned that metadata and content could not be cleanly separated,
that journalists and whistleblowers would be the target of the scheme
and that agencies would compile data in order to construct ongoing
profiles of large numbers of people.
Those critics were ignored at the time, particularly by the media, which
only woke up to the threat posed by data retention at the last minute
and were placated with an exception that, as the Ombudsman
representatives noted, is trivially easy to evade.
It’s now up to the government-controlled intelligence and security
committee to push for fixes to a scheme that was fundamentally flawed
from the outset.
--
Roger Clarke mailto:Roger.Clarke at xamax.com.au
T: +61 2 6288 6916 http://www.xamax.com.au http://www.rogerclarke.com
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Visiting Professor in the Faculty of Law University of N.S.W.
Visiting Professor in Computer Science Australian National University
More information about the Link
mailing list