Data retention policy – more risks than gains?

On the one hand we hear the government saying that we shouldn’t be worried, since most of what is in this bill is already available to the security agencies. If that is the case why do we need a totally new bill? This in itself should be a warning to study it very closely. Furthermore, once the bill is through it can easily be amended by others at a later stage to reflect more what the spy agents want. So what now seems a more palatable bill than the one that was presented a few months ago could easily be changed in the future.

Also, it is rare for a bill like this to be withdrawn by a future government. Politicians will be exposed to scaremongering tactics from the media, the police and the military and they will not dare to withdraw the bill at a later stage; so the bill plus future ‘enhancements’ will stay for us for a very long time, so we better think deeply about this.

Of course there are legitimate reasons for the security forces to use the latest technologies available to them to prevent crime and to prosecute those involved in terrorism, child pornography, paedophilia, and so on. But all of that needs to be balanced – first of all, against privacy and personal freedom and, secondly, against the real risk to Australia that these activities represent.

Harm by terror is a thousand times less likely to happen than harm through illness, car accidents, sporting accidents, work accidents and so on. Furthermore, what about the new risk that is incurred by storing all the data of the entire Australian population in centralised databases? Regardless of what the government will say, it cannot guarantee the security of this data against incidents, human error, hacking, criminal behaviour and overseas (forced) access to the data. Furthermore, as Communications Minister Malcolm Turnbull has himself stated, criminals can use the same technology to stay under the radar and not show up in the retained data.

I would like to outline my concerns about this proposed bill by breaking them down into three areas.

The aim of the proposed legislation

First of all, what is this legislation aimed at?

Of course, the government tells us it is terrorism. But when the previous government started to develop a data retention policy the issue was child pornography and internet filtering. Then when the issue resurfaced under a new government in June of this year the reason was copyright protection. But with a floundering Attorney General George Brandis and Prime Minister Tony Abbot the issue was quickly relabelled anti-terrorism, since that represented a much better sales package.

Already the Australian Federal Police has clearly indicated that these new laws will be used for other criminal activity, including copyright prosecution. They may have withdrawn that comment but the fact that it was made in the first place clearly shows what we can expect in the future.

Purely coincidentally, of course, only a week before the hasty tabling of the new laws, the highly secretive Trans-Pacific Partnership (TPP) between Australia, the USA, Canada, Japan, Mexico, Peru, Vietnam, Malaysia, Brunei, Chile, New Zealand, and Singapore met in Canberra, where no doubt the US delegation again put pressure on the Australian government to take more draconian action on copyright.

While Communications Minister Malcolm Turnbull – having been appointed as the new salesman of the bill – remains adamant that the data retention laws have nothing to do with copyright, this issue is already being contested within the broader levels of government, and within a political context there is always the risk of intended or unintended creep.

Let us hope the Minister sticks to his views on personal freedom, which he so eloquently expressed during his rebuttal of a similar internet security proposal put forward by the Labor Party two years ago.

The internet tax

Secondly – the cost.

What is important here is to interpret the response from the industry in that context. The government has indicated that the cost will not be placed squarely on the industry, so that is basically the only issue for the industry (apart from the technical issues around what is possible and what is not). This, however, does not constitute moral approval on the part of the industry. They will have to follow the law whether they like it or not. If, for example, iiNet were to reject the law on ethical or moral grounds it would be fined and eventually it would simply go under.

It is like the chemical factories supplying the gas to the legitimate Nazi Government in Germany – gas which was subsequently used for such horrific purposes; or the car manufacturers being forced to build tanks, construction companies building the concentration camps, and so on. The government was legitimate and it paid; so, for the industries involved, that was all there was to it. Some people within those companies might, probably would, have had moral reservations about this but the companies were obliged under the laws of the land at that time to do what they were asked to do.

Another interesting element here is to see what happens if the industry doesn’t have to pay for it. Where will the government get its money from? Answer – from an internet tax. Last week we saw 100,000 people in Hungary march in the streets against an internet tax that was proposed there, and days later the government hastily had to withdraw the proposal. I am sure that the Australian government will study this Hungarian test case.

While the government will claim that this will not be a tax, the carbon tax also was not a tax but the Coalition was more than happy to use those words to its political advantage.

Furthermore, the only way to deal with the cat-and-mouse game around security, hacking and new encryption and other technologies is to keep on spending more money, and this will make the system more costly by the day. Also, what use is it to just have the data? To actually use it to fight terrorism data analytics are required (big data) and this, again, is a very expensive exercise. The system to simply hold the data could cost, say, around $200 million, and actually using the data in any intelligent way could easily double that figure and to keep up with technologies and other changes double that again in years to come, so you are quickly talking about a $1 billion project over the longer period.

Security risk could be higher than its gain

Security is the third key issue.

As I have said many times, we strongly oppose terrorism and we fully support the international effort to fight radical groups such as IS and Boko Haram. We also loathe the idea of child pornography and paedophilia (the key starting issues of the original Labor law proposals).

What I do question is the blanket collection of private data on all citizens, of which 99.9999% is useless in the fight against terrorism.

The terrorists and other criminals we want to catch will not be sitting still. In the Minister’s own words:

 Why do we imagine that the criminals of the greatest concern to our security agencies will not be able to use any of numerous available means to anonymise their communications, or indeed choose new services that are not captured by legislated data retention rules?

So those 0.00001% of people who have to gain the most from ensuring that they won’t be caught via the data retention scheme will be the first to use the other parts of the technology to ensure that they remain invisible. The government will then be left, in general, with information on perfectly legal internet behaviour of 99.9999% of the population.

Furthermore, just to make sure, hundreds of thousands of other ordinary and law obeying citizens Australians will also find ways to become  ‘anonymous’ simply because they don’t want other people to know what they do in their private lives. Regardless of what the minister or the legislation say, these people will not trust Mr Turnbull or the government on the strength of a promise that the legislation is not to be used to check on anything other than high level criminal behaviour.

It looks like piracy will be one of the internal battlegrounds that need to be settled within the government.  In relation to that, unless the Hollywood Studios change their business model we argue that piracy will only increase – so little gain there either.  Malcolm Turnbull has taken a strong position on this, but even those who trust Mr Turnbull on the issue will ask the question – what will be next? Who will be there after him? The next minister might think differently. Unfortunately fewer and fewer people now trust their government – apparently this percentage is even higher in Australia than it is in the USA. Also, as mentioned above, once you have such a system in place it is highly unlikely that a subsequent government will repeal the law. In general, once such a system is in place events can easily force that creep to occur.

So potentially the new laws can do more harm than good.

The latest report from the US Government Accountability Office (GAO) shows how unsuccessful government agencies have been in securing the information that was required under the E-Government Act of 2002.

  • Security incidents have doubled since 2009; there are breaches at every single federal agency.
  • Inspectors General at 21 of the 24 Federal agencies say that security is a major management challenge, and 18 of those reported it was a major material weakness.
  • Wikileaks and the Snowden revelations all happened since then.
  • Also it is interesting to see what can happen with your information, as was revealed in the case of an Oklahoma Sheriff who was found collecting data on citizens.

What this shows is that there is a more or less 100% guarantee that incidents and accidents will also happen with the Australian data. We have seen classified government data being left on a train; tax data in a rubbish bin; our credit cards numbers are most likely available, and some are indeed used by criminals; the Westpac bank lost customer data, and so did Telstra. I am not picking on these examples – the list is endless, with more being added to it almost daily.

Furthermore, having all of the data of the Australian citizens together in one system makes that system an ideal target for criminals and others to see what is happening in this country. It won’t be too difficult for, say, the Chinese spy agency – which most likely employs the largest number of hackers anywhere in the world – to see what Australians are saying about their country. Under current arrangements the USA will automatically get access to it. And even if the government tells us that won’t happen we all know that NASA will, in one way or another, obtain access to this data. So it is not too far-fetched to conclude that other spy agencies (and goodness knows who else) will also be able to do the same. Nobody, absolutely nobody, can guarantee that this will not happen.

This is why legislation such as is currently proposed in such an open-ended structure in Australia was not accepted by the EU. Many countries there have had first-hand experience of what it means if information falls into the wrong hands. It was the excellent retention system on personal data in the Netherlands that was used by the Nazis and as a result of that the Netherlands saw most of its Jewish citizens being killed during WWII, while countries that lacked such a system – for example, Denmark and Italy – were better able to protect theirs and here most Jews survived the war. It is no wonder that Germany now, is paranoid by any new data retention system.

Also worrisome – what guarantees are in place so that this information doesn’t end up, ‘accidentally’ or not, with the Hollywood Studios, who are very eager to use this data under the TPP to protect their business. They certainly are keen to go into expensive and lengthy prosecution procedures to get their way, and once this bill  is in place they will most certainly try to find any legal way to use this bill to their advantage.

Parochial thinking doesn’t solve the problem

Terrorism is a global issue and monitoring the 25 million Australians via new data retention laws is unlikely to create any more security within our country than we already have. It is safe to state that, directly and indirectly, the threat comes from outside Australia. How are we going to monitor the three billion people in India, China or Africa – or the hundreds of millions of people in and around the Middle East?

On the other side, security experts are saying that the next wave of terrorism will be more likely to come from an incidental/a random home-grown killer than from a pre-planned and well-organised event, and this will be far more difficult to prevent.

We must also ask ourselves how many people are killed in Australia (or elsewhere) through terrorism; and we then need to make a judgement from that perspective about how far we are prepared to go in surrendering our hard-won personal liberties attempting to prevent these unfortunate events.

Yes, let us address terrorism, but let us do so in a measured way.

Luckily we will have time to discuss these proposals in more detail; and certainly let us come up with legislation that enables the authorities to catch potential terrorists in Australia. But at the same time let us be very aware of the enormous price that we will have to pay – not to mention the possibility that the risk we run by enacting this legislation will be greater than what we gain.

So far the bill is open for discussion. So there is still a chance to look more seriously at the proposals, and more importantly to discuss these issues with the Australian people. If the people are not buying into the legislation many will find ways to avoid compliance, like they did with piracy. If they see it as unjust legislation they will not feel compelled to comply. It is therefore up to the government to come up with legislation that is perceived by the people to be reasonable and acceptable; then compliance will follow.

I have not covered the National Security Legislation Amendment Act, which will be a severe limitation to freedom of speech, with jail terms of up to 10 years for journalists (and others) who disclose information regarding security issues that could harm the country. The reaction of the government to Wikileaks and the Snowden revelations demonstrates what it will deem harmful and therefore gives us an indication on how severe these restriction will be, this is a very bad omen indeed. I have reported before on this issue, which is very close to my heart.

I will end with the title of Mr Turnbull’s presentation in his 2012 Alfred Deakin Lecture – Free at last! Or freedom lost? Liberty in the digital age.

Australia will hold Minister Turnbull accountable for what he ultimately puts in place for this country.

Paul Budde

We invite your comments: 1 Comment on Data retention policy – more risks than gains?

Tagged in: , , ,