David Seidler, who recently undertook a Google-sponsored internship at ACCAN, last month published a paper titled ‘Hacking the Grapevine: Data retention and protecting Australian consumer privacy'. In it, Seidler examines the potential advantages and disadvantages of a mandatory communications data retention regime as the government has recently proposed.
Mandatory data retention is of great benefit to the early stages of investigations.
Seidler cites Professor Michael Fraser: “if law enforcement has a reasonable suspicion that you are planning a crime, they have both a right and a duty to collect this information.” However, this assertion is qualified by Seidler’s comment that “because metadata is helpful, does not necessarily affirm law enforcement’s unhindered access to it”.
Data retention is required for lengthy investigations.
Seidler points out that a mandatory data retention scheme would be required to provide a “baseline of the activities and threat posed by adversaries over an extended period”.
Seidler also points out that a reason for the resistance to such a scheme exists as a result of ‘media spin’. He notes that “[D]rawing this distinction, between the potentiality and the reality of data retention programs, would be a good thing for Australian government agencies to be doing. Instead, they seem to be fighting a losing public relations battle."
No evidence of the need for telecommunications data
Seidler asserts that “law enforcement has been unable to mount a convincing case, relying instead on anecdotal evidence, and “highlighting individual crimes without any detail about the significance of the role played by metadata””.
He notes that LENSA (Law Enforcement and National Security Agencies) operations are often protected by confidentiality, and cannot offer statistical evidence’. Instead, Seidler turns to international research to assess the LENSAs’ above arguments:
"In Germany, where requests for metadata were successful in 96% of all cases, it was found that a data retention program could raise the crime clearance rate by 0.002% at best."
While domestic data retention would fall under Australian law, any data stored on overseas may not. “if Australian communications are made using networks or servers based elsewhere the ability of LENSAs to access their metadata is subverted”.
Lack of checks and balances
Seidler raises the concern that such a scheme may suffer from a ‘fundamental lack of oversight’. Seidler states that the current requirements for access to metadata can be made by ‘authorised officers’ of enforcement agencies, ‘with no real accountability’.
This is worrying, given that in 2012, 319,874 authorisations were made. According to the Inspector-General of Intelligence and Security, “it is unlikely this agency is able to offer effective oversight. Extending access to two years of metadata would seem to exacerbate the problem”.
iiNet has estimated that the scheme will cost individual telcos $60 million, while the total cost may be as high as $700 million. Seidler notes that these costs will be incurred by three parties - industry, government and consumers.
Telcos will be responsible for storing the metadata. This makes them a rather attractive target to a third-party that seeks to access this data illegally.
Seidler also raises the issue of telco resources: ”the industry in general has no incentive to provide adequate metadata security”.
Criminals will evade detection
Seidler Says: “The introduction of a data retention regime would only further the circumvention of LENSA monitoring of telecommunications.”
Straining an already deficient complaints system
Seidler asserts that existing privacy complaint systems are already experiencing some difficulty managing the number of complaints they receive from consumers. The introduction of a mandatory retention scheme would place further strain on these organisations.
Coupled with an unsympathetic Federal Budget 2014, it may mean that these organisations would be given “extra responsibilities and fewer resources”.
Seidler's key conclusions are as follows:
- A mandatory data retention proposal should not be supported. In the absence of statistical evidence of the need for such a system, security, cost and oversight issues make its introduction unwarranted.
- If law enforcement agencies cannot operate without metadata on criminal suspects, a data preservation system, targeting those suspects' metadata, is a workable alternative to fully-fledged data retention.
- Regardless of whether a data retention system is introduced, existing consumer privacy protections should be improved. This would involve the introduction of greater controls over current access to metadata (including the establishment of an independent, external oversight body), a system which would notify consumers when their personal information is compromised and ideally, a Consumer Privacy Bill of Rights.
Read the full report.
EFA is a member organisation of ACCAN, Australia's peak communications consumer organisation.