1984: Redux, or Much Ado about Data?
After months of debate and discussions both in public and private, the Federal Government is set for a significant policy ‘win’ in relation to legislation requiring the retention of data by Internet Service Providers and Telecommunication companies. The Federal Opposition has struck a deal whereby it will support the Government’s legislation provided some amendments are made, most significantly providing protection for journalists and their sources by requiring a warrant to be issued, a process that will be assessed by a ‘public interest advocate’.
Mandatory retention of meta data is now an almost certainty, despite lobbying from a variety of industry groups. But what is meta data, and should we be worried about the Government’s changes?
What is meta data?
Many attempts have been made to explain what constitutes meta data (including a quite famously criticised attempt by the Attorney-General).
Put simply, meta data is data about data. Whilst the Government may not get to know about the intimate conversation you had with a fellow lover of Justin Bieber, the fact that you have called the Justin Bieber fan club every day for the past 2 years would be, as well as the fact that you have sent 97 emails to your fellow Beliebers. The laws would also require data about where you were when you made the call to the fan club, and how long you spent on hold.
To be precise, under the proposed legislation, meta data includes information relating to:
(a) characteristics of any of the following:
(i) the subscriber of a relevant service;
(ii) an account relating to a relevant service;
(iii) a telecommunications device relating to a relevant service;
(iv) another relevant service relating to a relevant service;
(b) the source of a communication;
(c) the destination of a communication;
(d) the date, time and duration of a communication, or of its connection to a relevant service;
(e) the type of a communication, or a type of relevant service used in connection with a communication;
(f) the location of equipment, or a line, used in connection with a communication.
This seems to match up with the general understanding of meta data. The legislation also specifically excludes collection of several types of data, including browser history and the contents of a communication.
The actual details of what data must be kept is somewhat ambiguous though, and many commentators are taking little comfort from the fact that the types of data to be collected are to be determined by regulations, meaning that the Government can unilaterally decide what data is to be kept (within the limits of the legislation).
What does this mean in practice?
The key aim of the legislation is to require ISPs and telcos to keep specific types of data for a defined period of time (currently set at 2 years after the closure of an account for data about that account, and 2 years from the creation of the data in all other cases).
This data will then be made available to particular agencies generally without warrant, although some of the amendments sought by Labor now mean that information relating to journalist’s sources will require a warrant to be sought. Concerns have been raised, however, as the Attorney-General will be able to expand the agencies and organisations who can gain access to stored meta data, and because there are inherent ambiguities in the amendments that the ALP has secured (for example, is a blogger on this site a journalist?).
Other concerns arise in relation to what would otherwise be sacred such as communications between a lawyer and their client. Would, for example, the Police be able to draw an inference from the fact that an accused person called their lawyer 4 times in quick succession after an alleged crime had been committed?
Why is the government doing this?
Ostensibly the Government is pursuing meta data retention because it believes that it requires the data to combat terrorism, serious and organised crime, and child sex offenders. As the data is not actually the contents of communications, the Government has downplayed the need for warrants to grant access to the meta data. The Attorney General’s website says:
‘Warrants are typically reserved for the most intrusive powers, such as the power to use force to enter a home, to intercept phone calls, or to arrest a person. Many powers, including access to metadata, simply do not rise to that level. However, the government will introduce comprehensive, independent oversight of any enforcement agency that accesses metadata by the Commonwealth Ombudsman.’
The Government also argues that the ability to access meta data is not new, but rather the key here is the length of time that organisations need to keep the data (which the Government also suggests is already being kept – although Telstra has recently disputed this claim).
What are the arguments against the new laws?
With any law regarding national security, a fine balance must be struck between protecting individual liberties, such as privacy, against the national interest and security.
Groups such as the Law Council of Australia have argued that there is insufficient evidence to justify the change in law, and have highlighted the failure to require warrants in all circumstances as being of significant concern. For example, there is no evidence that the Martin Place siege would have played out any differently if there had been meta data retention laws in place. The Government has made reference to urgency and the need for meta data, but there has been little evidence presented to back this up.
Some are concerned that the laws would also provide additional opportunities for non-government actors to get access to data through Court processes that would not have otherwise be retained. For example, copyright owners could use the laws to subpoena information about internet habits of alleged infringers of their copyright.
Others have pointed to the significant powers given to the Government to extend the ambit of the laws that would not require parliamentary oversight. ISPs have also contested the claims that all of the data referred to under the Act is already being collected, noting that there will be a cost associated with mandatory data retention.
One concern that also arises is the fear of data security. If all of this meta data is now being held by ISPs, what happens if they get hacked? This was a fear brought into stark relief in 2012 when the ‘hacktivist’ group Anonymous released customer records from ISP AAPT in a protest against the then government’s data retention plans.
Where does the truth lie?
Whilst much of the concern surrounding meta data retention may be seen as shrill concerns unfounded by reality, I do believe that there is reason for significant concern about the types of laws that are being mooted by the Government. The meta data captured by the Act is obviously valuable and telling, otherwise why would it be of any use to the Government. Meta data could be used to demonstrate association between individuals, provide details on spending habits, political leanings or sexuality. Whilst the Government may not be interested in this, the systematic storage of the data opens up the possibility of the data falling into unauthorised hands. The massive flexibility of the laws, combined with the lack of requirements for warrants is also a significant concern as a matter of principle. Civil liberties should only be eroded where there is clear evidence of a public good that outweighs that erosion. I am not convinced that this has been established in this instance.
Meta data may be data about data, but it is clearly data about you. To my mind the strong opposition by groups such as the Law Council of Australia is well founded, and certainly justified.