Dear George, this is how you can fix your mass surveillance program
substantially reduced if the government and security agencies were
willing to accept some limitations.
Is there any way that the government’s mass surveillance
bill currently before parliament, which aims to impose a data retention
regime on the country’s telecommunications companies and internet
service providers, can be made safe?
It’s a near-impossible task, partly because the government’s
entire rationale for the bill keeps changing. On the one hand,
Communications Minister Malcolm Turnbull and Attorney-General George
Brandis insist this is merely about retaining the status quo to prevent
future loss of access to data; on the other hand, Brandis warns that
agencies are already losing access to data, and there’s an urgent need
for it. And in a quite astonishing remark on Monday on the ABC, Brandis
claimed that there were no existing metadata laws, when a metadata
preservation regime has been available to agencies like the Australian
Federal Police and ASIO for two years — and isn’t used by ASIO.
Whether Brandis was simply mistaken — the Attorney-General has a
history of getting basic facts wrong — or lying isn’t clear, but it
further confuses the rationale for the regime.
But if, for argument’s sake, we accept there is some
justification for mass surveillance of this kind by security agencies,
there could be ways in which the proposed bill could be amended to
reduce, if not remove, its problems.
The first is something the government has already gone part
way to doing itself. Correctly responding to concerns about the wide
range of agencies, including non-government agencies, that can access
metadata, the government has limited access to retained metadata to a
list of law enforcement bodies in the bill. But further assurance could
be provided by removing the power of the Attorney-General to add
agencies to that list and instead giving Parliament that power — that
is, if local councils and the RSPCA want to access stored data, access
must be legislated, not made at the whim of someone like Brandis. Better
yet, access to all metadata, stored under a data retention regime or
not, should be limited to law enforcement agencies.
If, as Brandis insists, “the mandatory metadata retention
regime applies only to the most serious crime — to terrorism, to
international and transnational organised crime, to paedophilia,” then
there should be no problem with imposing a requirement that agencies get
a warrant in order to access stored data, rather than merely going on
fishing expeditions. Security agencies object to a warrant requirement,
saying it would impose an impossible burden on them. Given the total
number of requests for metadata is now over 300,000 individual instances
each year — and that number doesn’t include intelligence
agencies — that argument looks credible. But that number says more about
the rampant overuse of metadata requests — which currently don’t
require a warrant — than about the warrant requirement itself. The
argument against warrants also relies on the claim that metadata is less
innocuous than content data, which for reasons we’ve repeatedly explained before, is simply false.
If getting a warrant really is too onerous for security
agencies, how about a graduated scale: ordinary call data — who, to
whom, duration — doesn’t need a warrant, but information on a mobile
phone’s location, and ISP data, does?
The biggest threat contained in the bill is to people who
want to expose wrongdoing within government or corporations, who will
now find it far more difficult to distribute information without risking
their anonymity either through a phone call or a record of their online
address. It will also make it more difficult for the traditional
recipients of whistleblowing material, journalists and politicians, to
safeguard the identities of people confiding in them. Under data
retention, security agencies will have far more material with which to
track down a whistleblower, starting with the journalist who has written
an embarrassing story, or a politician who has use parliament to reveal
information. The AFP has already admitted that it obtains the metadata
of journalists and politicians, and data retention will establish a huge
resource for them to access for up to two years after a leak; indeed,
police accessing of journalists’ metadata is rife in the UK.
And large companies, knowing their employees’, journalists’ and
politicians’ phone records are retained for two years, will be able to
use court orders to secure access to metadata not currently retained in
order to hunt down whistleblowers who have exposed them.
The solutions are straightforward: the Brits are going to change their data access laws
to require police to obtain a warrant if they want to obtain a
journalists’ metadata, with a presumption that access would not be
granted if the journalist was acting in the public interest. Such a
protection should also be extended to politicians — which risks
criticism that politicians are unwilling to subject themselves to
surveillance like everyone else, but is worth it to minimise the threat
And access to retained metadata should be placed beyond the
reach of court orders and private litigation, limited strictly to
security agencies. This will both reduce the threat to whistleblowers,
and give effect to the government’s insistence that, contrary to the
claims of the AFP Commissioner Andrew Colvin, data retention isn’t about
allowing the copyright industry to pursue downloaders.
Finally, a proposal that no security agency, if their
rhetoric is to be believed, should have the slightest problem with: the
data retention scheme should outlaw companies retaining information other than
what is specified in legislation. No other forms of metadata, no
content, nothing: ISPs and telcos would henceforth only retain a
specified set of metadata and it would be illegal to retain any other
data on consumers, unless as required under normal warrant processes or
for data preservation purposes. Intelligence and law enforcement
agencies insist that they do not obtain any other data from
communications companies without a warrant. In which case, let’s
legislate that, and lay to rest the oft-repeated concerns, expressed by
people with detailed knowledge of the sector, that companies are keeping
and passing on both metadata and content data freely to security
agencies without any accountability or oversight.