Thoughts on Australian Data Retention

12 Oct 2015

On May 20, 2013 Edward Snowden flew to Tokyo after leaving his job as a contractor at the NSA, mere weeks later he revealed to the world PRISM. Since then, countless more documents have been released revealing the extent to which the US and allied governments have been unlawfully spying on their citizens.

In 2015, with bipartisan support, the Australian government passed the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015. Tomorrow—October 13, 2015—this bill comes into effect. The laws state that all data must be kept for two years, this includes telephone logs, sms logs, online activity logs, and email metadata. At the discretion of the Attorney-General1, most-all agencies can access this data without a warrant.

Australia was a key member of the clandestine surveillance program Five-Eyes, but from tomorrow the government has legalised what was previously only a shady NSA activity.

Waved through parliament at irresponsible speed, the Data Retention Bill 2015 was marketed as our greatest weapon in the war on terror. There is no sunset clause in the legislation. There is nothing to stop fishing expeditions; a search or investigation undertaken with the hope, though not the stated purpose, of discovering information2.

Most importantly, you will never be informed of an agency accessing your metadata. Revealing that someone’s data has been accessed carries a two-year jail sentence.

Agencies With Access

As Quentin Dempster highlights, the list of agencies already with approval to access this data is almost as long as the list of agencies in Australia. Just include Australia Post and it’ll be warrantless-privacy-invasion party, confetti included3.

Government and law enforcement agencies with unrestricted access to your data:

  • ASIO (Australian Security Intelligence Organisation)
  • Australian Federal Police
  • All state and territory police forces
  • The Australian Commission for Law Enforcement Integrity
  • Australian Crime Commission
  • Australian Customs and Border Protection Service
  • Australian Securities and Investments Commission
  • Australian Competition and Consumer Commission
  • NSW Crime Commission
  • NSW Independent Commission Against Corruption
  • NSW Police Integrity Commission
  • Queensland Crime and Corruption Commission
  • West Australian Corruption and Crime Commission
  • South Australian Independent Commission Against Corruption
  • Any other agency the Attorney General publicly declares

Since when has the Australian Competition and Consumer Commission (ACCC) fought against terrorists? The ACCC is meant to protect me against bad products and shonky workers. Not terrorists.

We’re Going Backwards

While countries around the world, lead by Europe, are legislating safe guards into their data retention laws, Australia has done the exact opposite. The USA has just passed the Freedom Act which limits agencies access to phone logs. The EU has passed many acts with the freedom of its people in mind.

China and Australia on the other hand? Well they’re expanding their retention and access laws as fast as they can print the bills themselves.

Edward Snowden, at the Progress 2015 conference (via video link), condemned Australia for its new law. Saying, “What this means is they are watching everybody all the time. They’re collecting information and they’re just putting it in buckets that they can then search through not only locally, not only in Australia, but they can then share this with foreign intelligences services.”

“They can trawl through this information in the same way. Whether or not you’re doing anything wrong you’re being watched.”

Edward Snowden

Stopping the Bad Guys

Quentin Dempster, writing for the Sydney Morning Herald; A spokesperson for the Attorney General’s Department told Fairfax Media metadata was a vital tool used in “virtually every counter-terrorism, organised crime, counter-espionage, cyber-security, child exploitation and serious crime investigation”.

The case made for metadata retention is it is in the name of terrorism. With all this data on every Australian we can stop the bad guys before they attack. This is yet to be proved.

In both the 2014 Sydney Siege and the 2015 Charlie Hebdo shooting, the attackers were known to the government. Having more data on other persons would not have increased the authorities knowledge of these attackers.

There is literally no empirical evidence mass data retention helps authorities. If anything there’s too much data to be useful.

Having said that, spying to stop potential threats is incredibly necessary. The question is not whether we should empower the AFP and ASIO to perform activities to gather information on known “bad guys”, but rather should we let them spy on all of us?

But, I’ve Got Nothing To Hide

I should be able to debunk this claim with one example, made by Michael Bradley for The Drum. Your data can be subpoenaed for production in any court proceedings. Let’s hope your soon-to-be ex-partner doesn’t decide that your web logs are of importance to the civil law custody battle over your children.

It’s pretty safe to say most of us aren’t “bad guys”. I doubt any of you have plans that will require a government agency to access your metadata 4, but I can almost guarantee some of you will have your data accessed for something less exciting but still impactful to you.

Many proponents of data retention argue that because we’ve already given more data to Facebook and the like, it shouldn’t matter. Firstly, Facebook and the level of access you give it to your life is purely opt-in. Secondly, for an agency to gain access to your Facebook data they must provide Facebook’s lawyers with a warrant for the data. From tomorrow, these agencies need no warrant, remember?

Dear Hackers, We’re Open For Business

Telstra, in a blog post, outlined one of my great concerns with data retention. “We are creating what has been called a ‘honey pot’ for hackers and criminals to target.” Surely, in the last few years it has become apparent to the general population, just as the InfoSec community has always known, everything can and will be hacked.

“A ‘honey pot’ for hackers and criminals to target”

Mike Burgess (for Telstra)

Just this week President Obama, speaking in Cupertino, “backed down in [his] bitter dispute with Silicon Valley over the encryption of data on iPhones and other digital devices, concluding that it is not possible to give American law enforcement and intelligence agencies access to that information without also creating an opening that China, Russia, cybercriminals and terrorists could exploit.” (Nicole Perlroth and David E. Sanger for the New York Times, Oct, 10, 2015).

Even if the government doesn’t access your metadata, and your soon-to-be ex-partner (or insurance company, or employer, or whomever is suing you) doesn’t access your data, someone is probably going to hack it and dump it Ashley Madison style. Then some kid in his parents’ basement is going to ruin your life because they know everything about you.

What Can I Do About It?

Okay, we get the point, this is shit. If you’re still not convinced or want to learn more I highly recommend Crikey’s article Your guide to the data retention debate: what it is and why it’s bad.

What can I do, considering from midnight tonight everything is collected?

For once I can say follow our Prime Minister, The Honourable Malcolm Bligh Turnbull MP, in his technology choices5. Malcolm uses Wickr and WhatsApp because he doesn’t want people reading his person messages.

He said, “I don’t give technical advice, I provide a bit of background. I’m not the tech butler, I’m the Communications Minister, but I think it’s important to be aware of security”. Ah yes, security, privacy remember those things in the future when they were once a distant memory.

The Electronic Frontier Foundation (EFF) has an up-to-date ranking of private messaging services. You can look through the list, but my choice is Apple’s iMessage service. Yes, it’s neither open source, nor can you truely verify the identity of the other party, but it fits all other categories. Along with this Apple is heralded for its strong, at times to the detriment of user experience, stance on privacy.

Regarding email, you’re best bet is with an off-shore hosting company. It is difficult to understand where Google (Gmail) stand with tomorrow’s new laws, however they would be a better option than say a BigPond or Optus email address. FastMail, an Australian company, locates its servers off Australian soil just so that they don’t have to abide by the new laws.

Internet Access and Pirating

While not designed for the punishment of illegal pirating, the Data Retention laws will almost certainly be used for it. We have our friends at Village Roadshow to thank for that.

A VPN is your best bet at limiting the amount of data related to internet traffic that the government gets. Luke Hopewell, of Gizmodo Australia, has a great write-up about the current state of VPNs in Australia.

In Summary

We’re screwed. You can take some measures to protect your privacy, but all it takes is one person to not take these measures and you’re screwed anyway. Sure you use a reputable email service, but does the person you’re emailing? Now the government has that metadata, they just got it from someone else.

Lastly, I forgot to mention, Joe Hockey allocated $180MM from the last budget towards the cost of retaining all this data for two years. This isn’t going to come close to covering the costs for the telcos and Australian businesses. Prepare for a surveillance tax.

Don’t forget, this man doesn’t know what the word metadata means, but he decides who gets yours.

  1. Our glorious Senator the Hon George Brandis QC. ↩︎

  2. Oxford English Dictionary, provided by Apple Inc.. Accessed Oct 11, 2015. ↩︎

  3. Yeah our national mail service sells 1kg bags of confetti for twenty-something dollars. And yeah I do plan on buying some. ↩︎

  4. Which, remember, you will never be informed of… ↩︎

  5. Yeah, that sentence was not possible this time last month. By the way, Malcolm was Communications Minister when this bill passed. ↩︎

This post was automatically imported from my old blog, if anything looks funny please contact me. The original URL was: