Unneccesary & disproportionate: An open letter regarding Mandatory Data Retention

by benkloester

I want to talk a bit about the mandatory data retention bill likely to be introduced in parliament this week. Unfortunately we are scant on specifics because the bill is not yet in parliament, and the documents and consultations (with industry only, not the public!) so far carried out have been kept behind closed doors, responses to FOI requests delayed past extended deadlines, and documents released with large redactions, or not at all. As such I’ll limit my comments to the general outline of the plan as communicated by Liberal AG Senator Brandis.

The appeal, for the government, of a law requiring ISPs to retain data on subscribers is immediately obvious – it ostensibly provides the ability for government to attain intelligence information at a later date, whilst “outsourcing” not just the operational aspect of data collection, but the moral “baggage” – a government storing swathes of data on us is typically perceived as Orwellian, but a company retaining it may just slip below the public’s notice.

But in mandating the compulsory collection of such data, we are threatening the privacy, speech and even the very way of life Australians have a right to enjoy. And even if we set aside these noble ideals, and consider data retention purely from an amoral cost-benefit point of view, it doesn’t pass muster. I will divide the problems with Mandatory Data Retention into two camps – ideological, and pragmatic.

Ideological Objections Pragmatic Objections
It violates our right to privacy No clear need for it
It impedes freedom of speech and association It is unlikely to be effective
It reverses the presumption of innocence It will be exploited by bad actors
It imposes an unfair & onerous burden on business
It will be exceedingly costly

Ideological objections

Mandatory data retention violates our right to privacy

Privacy is a fundamental human right, and is central to the maintenance of democratic societies. It is essential to human dignity and it reinforces other rights, such as freedom of expression and information, and freedom of association, and is recognised under international human rights law[1]. Privacy is recognized as an important right in Australian law[2] .

Australians every day browse the web with the expectation not just that their government isn’t snooping on the sites they are visiting, but that their ISPs are not doing so either. Mandatory data retention (à la Brandis/Abbott) explodes that possibility, by making it compulsory that ISPs retain the means to violate their customers privacy, and examine potentially the most intimate details of their lives. I should point out that something that I and all other Australians are aware of: privacy is not about having anything to hide, but rather is an inherent requirement for the dignified enjoyment of one’ s life. To say that privacy is only for the guilty means that we should all be happy to reveal our bank balance, sexual activities, naked photos, private correspondence, health conditions, political leanings, the list goes on – a ridiculous assertion, of course.

Attempts to play down retention by characterizing it as the collection of only “metadata” are misleading. In fact, there is no clear distinction between metadata and data: in truth, metadata IS data. This could be no more apparent than when illustrated by the bumbling Brandis himself, who in interview could not even get the concepts straight in his own head! Add to this a recent inter-american court decision that both content and metadata are equally protected[3], and former NSA & CIA director General Michael Hayden’s assertion that “We kill people based on metadata”[4] and it could not be clearer that the distinction between data and metadata is meaningless.

[1][See eg. Universal Declaration of Human Rights Article 12, United Nations Convention on Migrant Workers Article 14, UN Convention of the Protection of the Child Article 16, International Covenant on Civil and Political Rights Article 17]
[2][Office of the Australian Information Commisioner – Australian Privacy Principles]

Mandatory retention chills free expression, and impedes freedom of association

When people know that they are being observed, they moderate their expression. Were it not so, we wouldn’t have the phrase “dance like nobody’s watching”. Surveillance leads to a culture of self-censorship and chilled speech. In extreme examples this is motivated by the the fear of extreme retribution for certain speech. And for reasons like this, anonymous speech is also very important and worthy of protection – anonymity protects dissent by eliminating fear of reprisals and breaking the silence of self-censorship. In fact anonymity is already considered a right under the Privacy Act[5], but this right is yet another that would be eroded by even the most modest of retention schemes.

But fear of violent retribution is also not required to diminish our expression when we know we are being watched. The mere fear of observation will often be enough to chill speech, be it sharing political views on  forums or sharing an intimate chat session with a loved one.

And even in a democratic country like Australia, where we tend to discount the likelihood of violent suppression of dissent, it is perfectly rational to worry about government-imposed consequences for innocent speech and actions. Already common are nervous jokes about ending up on an ASIO watch list or no-fly list for visiting the “wrong sites”, and with the many examples of blunders, false positives and overreactions from state intelligence and law enforcement around the world, Aussies are likely to end up speaking and browsing with an abundance of caution. And with experiences like that of Michele CatalanoMr ‘Mohammed’ or Bilal Daye in mind, who can blame them?

To make matters worse, with the amount of information available and evolving surveillance technologies, law enforcement agencies now can directly observe people’s relationships and interactions and make inferences about their intimate and protected relationships. Inferring political affiliation, union membership, club membership, associates, interests, even likely voting choices, all would be possible from the type of data that could be collected under the scheme. This of course chills our capacity to freely associate ourselves  – we will always be looking over our shoulder, wondering whether ours will be the group to come under scrutiny. There is a long history of politically-motivated abuse of intelligence powers, from the FBI’s monitoring of Martin Luther King to ASIO’s more recent spying on anti-fracking activists.

As the UN Special Rapporteur on Freedom of Expression and Opinion points out in a recent report on state surveillance and freedom of expression: “Communications surveillance should be regarded as a highly intrusive act that potentially interferes with the rights to freedom of expression and privacy and threatens the foundations of a democratic society.”[6]

Mandating government ability to surveil all of its populace reverses the presumption of innocence

The model of law which operates in Australia includes a presumption that someone is innocent until proven guilty, and requires reasonable grounds before a search may be conducted. The government may argue that collection of data (by easily co-opted third parties) does not constitute a search, but that is exactly the intent behind retention. Wholesale collection of data (such as the one-warrant-for-whole-world surveillance allowed by the language of the recent draconian national security amendments) of everyday Australians is akin to treating every Australian like a suspected criminal, reversing the burden of proof and perverting the presumption of innocence.

Mandatory data retention imposes an unfair & onerous burden on business

Retention turns telcos and ISPs into the little brother, the co-opted private intelligence lackeys of the government, forcing them to act as a convenient repositories of private information. This injunction on the free and fair operation of these businesses is unfair and immoral. Many of the  operators of ISPs may have strong feelings about being complicit in the invasion of Australian’s privacy, and the Australian government should not force them into this position.

Pragmatic Objections

There is no clear need for wholesale data retention

Maximal data retention, as posited by Brandis et al, is a solution looking for a problem.

The Australian Federal Police’s requested retention model is modest, particularly when compared with the Brave New World most favoured by the Liberal administration. And even then, “law enforcement has been unable to mount a convincing case, relying instead on anecdotal evidence, and “highlighting individual crimes without any detail about the significance of the role played by metadata”[7].

Furthermore, the Telecommunications (Interception & Access) Act already provides tools for interception, under lawful warrants. The police have the right and ability to intercept the data they need as part of an ongoing investigation. With mandatory retention, police are asking for the ability to retroactively start an “ongoing investigation” up two years in the past, without any reasonable grounds at the time, and without having mounted a convincing case for why this would be of great use. Which leads me to my next point: that mandatory detention is not even likely to be effective towards its supposed goal.

When it comes to achieving its purported goals, mandatory retention doesn’t even work!

There is no  evidence that this type of data is crucial or even always useful to police investigations – police have been solving cases for a lot longer than the internet has been around, and have a well-developed toolkit of methods that do not involve such a sacrifice of privacy and liberty. Furthermore, the introduction of a mandatory data retention scheme, or other mass surveillance schemes, would simply lead to those having a real need to conceal their activities to implement means to avoid detection, such as VPNs and encryption. If the average savvy Australian consumer can figure out how to watch US TV, a motivated bad actor can certainly hide their activity from this costly scheme.

The abysmal effectiveness of the use of retained data is demonstrated best in a German study, where requests for metadata were successful in 96% of all cases, but it was found that the data retention program was able to raise the crime clearance rate by 0.002% at best.[8]

What is more, even the purported goals of retention are nebulous. These (as well as intelligence powers amendment) laws are being touted as essential in combating terrorism, but as we have seen in many jurisdictions, this is a false flag used to obtain these powers, which are in fact not particularly effective for counter-terrorism purposes[9]. The scope is then allowed to creep so that surveillence powers are being exploited for run-of-the-mill criminal or even civil investigation, and not national security or intelligence at all. For example, an Austrian review found that the most common law enforcement use of retained data was for cases of theft, followed by drugs, followed by stalking[10]. And in Poland data retained under the mandatory detention law has become common fodder for subpoenas in civil suits, including divorce cases![11]

Once we have mandatory data retention, how long before the average Australian starts getting nasty-grams from HBO for downloading Game of Thrones, or court orders from their ex wanting a data fishing expedition to find fault in a divorce?

Large swathes of accumulated data aren’t just appealing targets for government – bad guys will want them too!

As is now clear to anyone that has ever registered and account or paid for anything on the internet, we are *bad* at security. It’s not so much a matter of whether you’ve been a part of some mass leak of data, but when[12]. And now we want to mandate the collection and storage of a whole bunch more data? ISPs’ store of mandatory retention data will be an incredibly appealing target for hackers, and with the heterogeneous nature of the ISP market, do you really think that every provider will be immune to compromise? Of course not. There will be breaches.

It’s worth pointing out that this is merely a smaller instance of a much larger phenomenon – that of governments’ surveillance systems and back doors being re-purposed by the ‘bad guys’. You see, because in order to acheive their objectives in intelligence, governments often mandate the introduction of less secure architectures, or ‘backdoors’ – but there is no way to make a system insecure to one and not to all. This was dramatically demonstrated in 2005 in Greece, when someone exploited backdoors in a Greek phone company’s systems and recorded sensitive conversations involving the Prime Minister[13]. And more recently the Washington Post reported that intruders, allegedly working on behalf of the Chinese government, broke into Google’s existing surveillance systems[14].

The point being that any back door or retention scheme opens up the possibility that it will be exploited by bad guys, and not just the good guy government which always has our best interests at heart.

The economic costs are astronomical

Finally, any mandatory data retention scheme is likely to come with a massive price tag. Metadata storage for a single large ISP could be as much as 1 petabyte a day, and the cost per subscriber as much as $130 a year[15]. Since the government is not lining up to eat that cost it would have to be passed on to the consumer. And to put that 1 petabyte in perspective, that is 1000 new high-density hard-drives being filled, Every. Single. Day.

Given all the other disadvantages of such a plan, does it really make sense to spend this kind of money on it? And doesn’t making us, the ones being spied on, pay for it, rather add insult to injury?

Conclusion

Brandis has tried very hard to give this dog of an idea legs, but the fact of the matter is it warrants no legs. Coming from someone supposed to espouse “liberal” values and be for reducing government interference, this recent push for draconian surveillance and expanded government is a staggering hypocrisy.

Mandatory data retention is an idea whose time has gone. It would be better to say that its time to die has come. Contrary to Brandis’ claim earlier this year that data retention was “the way Western nations are going”, the very opposite is true. In Europe, where it had its genesis, it has recently been ruled unconstitutional; similar measures in the USA were canned after strong popular backlash; the world over it is being wound back, repealed, and abandoned.

Do we really want an out-of-favour policy that is incredibly costly, demonstrably ineffective, risks exposing our private information to hackers, and which violates our basic rights to privacy, freedom of speech, freedom of association, the presumption of innocence, and the ability to live a life free from invasion?

When you put it like that, it doesn’t really sound like a hard question to answer.

To defeat these unnecessary and disproportionate measures, we need to make our local MPs understand this issue, and understand that we will not forgive them for supporting them. To do so, head to Stop the Spies which will connect you with your local member! Emails, letters, calls, tweets – help me get this message out there!

Stop the spies

Stop the Spies!

Advertisements