[LINK] Crikey: The Wholesale Abuse of the Data Retention Scheme

Roger Clarke Roger.Clarke at xamax.com.au
Tue Feb 25 21:59:38 AEDT 2020

[Crikey needs ongoing support, if only to keep Bernard Keane doing what 
he does.]

Data retention scheme is being abused exactly as critics predicted
A review of the Abbott government's data retention scheme has shown it 
is being widely abused by scores of bodies around the country.
FEB 25, 2020

A review of the mass surveillance scheme established by the Abbott 
government six years ago has revealed how it is being widely abused in 
ways voters were assured would never happen.

The government’s data retention regime, which compels communications 
providers to retain personal information on service use by customers for 
two years, is currently the subject of a statutory review by the 
Parliamentary Joint Committee on Intelligence and Security.

When the Abbott government introduced the scheme in 2014, it assured 
Australians that the unprecedented level of surveillance of their 
communications metadata — which can be used to construct a detailed 
portrait of an individual’s life beyond that provided by any content 
they may use — would be subject to strict controls.

Its use would be limited to serious offences and a small number of 
security agencies — just 22 across the state and federal governments.

Those commitments have turned out to be false.

Telecommunications companies and the Communications Alliance, the body 
representing most telecommunications providers in Australia, made 
submissions to the committee last year that scores of bodies other than 
the 22 security agencies specified in the data retention legislation 
were routinely seeking retained data.

According to the Communications Alliance, bodies such as local councils, 
the Victorian racing integrity regulator, taxi bodies, a vet body and 
anti-dumping agencies have used a loophole under which they are able to 
request retained data from telecommunications providers, via s.280 of 
the Telecommunications Act.

In evidence to the committee earlier this month, the Communications 
Alliance went further, explaining “when agencies outside the 22 CLEAs 
make data requests … those requests can be imprecise. Sometimes these 
agencies don’t know exactly what they’re looking for or what they’re 
trying to find. Often they also have difficulty interpreting the data 
that they receive, come back to the service provider and try to work 
their way through it.”

This has also led to the content of communications such as the URLs 
users are accessing being disclosed by providers, in direct defiance of 
the intended limitation of data retention to metadata only.

Then-attorney-general George Brandis notoriously made a fool of himself 
trying to explain that the scheme would be strictly confined to metadata 
rather than content such as URLs, but according to Christiane 
Gillespie-Jones of the Communications Alliance, URLs are “sometimes, but 
not always by far, being provided by providers because of the difficulty 
of separating out specific data points. I suspect that the same might be 
the case with location data.”

Gillespie-Jones also told the committee retained data was being obtained 
for civil court proceedings, yet again in defiance of the purported 
limitation of data retention for serious criminal offences.

Data that would otherwise be deleted, but which is now being retained at 
the request of security agencies, is being caught by other provisions of 
telecommunications legislation, and processes such as court subpoenas, 
and dragged into activities voters were assured it would never be used in.

At a previous hearing, staff of the Commonwealth Ombudsman told the 
committee they were also aware of over 100 instances of information 
being incorrectly provided to security agencies in 2017-18, including 
over 40 cases of information for the wrong period being provided and 13 
cases of data not asked for.

The Ombudsman’s office also argued that it was straightforward for 
security agencies to evade the requirements of the “journalist 
information warrant” process, intended to provide an extra hurdle when 
agencies want to obtain metadata to identify a journalist’s sources:

If an agency has a sense of who the source might be, they can get an 
internal authorisation to access the potential source’s data and, in so 
doing, identify those phone numbers and so forth that the potential 
source was communicating with, and it may turn out that one of those is 
the journalist. And so there is a way in which the journalist’s source 
is identified but without accessing a journalist information warrant.

Security agencies are also routinely keeping data indefinitely 
(something not prohibited by the data retention laws) enabling them to 
connect data from different requests and thus assemble a richly detailed 
portrait of individuals.

Each new request potentially adds further layers and connections to 
existing data on targets such as whistleblowers, journalists, lawyers — 
some of the recent targets of the Australian Federal Police and ASIO.

Data retention critics repeatedly warned that each of these outcomes 
would inevitably result from such a scheme: that retaining user data 
would prove an irresistible honeypot for non-security agencies, that 
mission creep would mean the scheme would stop being about “the most 
serious criminal offences” and start being about parking fines and 
rubbish bins.

They warned that metadata and content could not be cleanly separated, 
that journalists and whistleblowers would be the target of the scheme 
and that agencies would compile data in order to construct ongoing 
profiles of large numbers of people.

Those critics were ignored at the time, particularly by the media, which 
only woke up to the threat posed by data retention at the last minute 
and were placated with an exception that, as the Ombudsman 
representatives noted, is trivially easy to evade.

It’s now up to the government-controlled intelligence and security 
committee to push for fixes to a scheme that was fundamentally flawed 
from the outset.

Roger Clarke                            mailto:Roger.Clarke at xamax.com.au
T: +61 2 6288 6916   http://www.xamax.com.au  http://www.rogerclarke.com

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Visiting Professor in the Faculty of Law            University of N.S.W.
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list