Submission

19th April 2001

Inquiry into The Law Enforcement Implications of New Technology

[This is a submission to the Parliamentary Joint Committee on the National Crime Authority.]

About EFA

Electronic Frontiers Australia (EFA) is a non-profit national organisation formed to protect and promote the civil liberties of users and operators of computer based communications systems. EFA was formed in January 1994 and incorporated under South Australian law in May 1994.

Our major goals are to advocate the amendment of laws and regulations in Australia and elsewhere (both current and proposed) which restrict free speech, and to educate the community at large about the social, political and civil liberties issues involved in the use of computer based communications systems. EFA is independent of government and commerce and is funded by membership subscriptions and donations from individuals and organisations with an altruistic interest in promoting civil liberties.

Introduction

EFA's main concerns in relation to the current Inquiry are proposals put to the Committee for mandatory retention of transaction log records by Internet Service Providers (ISPs). Bodies that have submitted such proposals have included the Australian Securities and Investments Commission (ASIC), National Crime Authority, and the Western Australian Police Minister.

We are concerned that if such a proposal is adopted by the Committee it may become lawful for any public authority to obtain a vast wealth of communications data without a ministerial or judicial warrant.

We consider the monitoring or data warehousing of Internet traffic or content on a mass scale to be highly privacy-invasive and an infringement of the human rights of Internet users.

Interception of communications is often used against dissidents, whistleblowers, political activists and human rights workers around the world. Care must be exercised to ensure that any monitoring measures introduced to assist law enforcement are proportionate to the crime involved, and respect the rights and freedoms of innocent individuals, including those who wish to exercise their right to dissent against government policy.

Rights and Risks

We urge that any recommendations of the Committee be consistent with international human rights instruments, namely articles 12 and 19 of the Universal Declaration of Human Rights (1948) [1] and articles 17 and 19 of the International Covenant on Civil and Political Rights (1966) [2] (refer Appendix).

The key principle in these articles is that "no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence".

EFA submits that clear limits need to be imposed on powers granted to law enforcement authorities in situations where civil liberties are likely to be compromised. In particular, we would expect that surveillance is used only in the case of serious crimes, is specifically targeted against suspects, and is under judicial control. Techniques used should allow for clear prevention of self-incrimination and should not interfere with other inalienable rights, such as privacy and freedom of expression.

The methods used must separate out the communications of the specific target under investigation, gather only the legally permitted amount of data, be secure against tampering, and respect the division between content and traffic data.

Any proposal for ISP logging or monitoring would be tantamount to the sanctioning of mass surveillance. Such a measure, combined with the use of sophisticated analytical techniques such as data-mining, triangulation of data, "friendship trees", and "interest profiling", would be another step towards a totalitarian society not dissimilar from that envisaged by George Orwell in his prophetic work 1984.

The proposals would also raise questions about the extent to which the needs of e-commerce, in gaining trust and confidence of Internet users, are understood. Surveys of Internet users consistently raise privacy and security concerns as the primary obstacles to rapid uptake of online commerce. Such concerns are unlikely to be allayed by suspicions that the government's encouragement of electronic commerce and online government service delivery may be partly motivated by a desire to increase surveillance of citizens.

Australia, along with other Western democracies, has a strong tradition of maintaining checks and balances on police power. Telecommunications interception has always been treated as a serious matter, justified only in serious circumstances and requiring judicial oversight. The recent changes to the ASIO Act loosened the restrictions in this area. Proposals to mandate ISP logging would further erode controls and enable a much wider group of agencies to access communications data.

EFA contends that no compelling case has been made to justify mandatory record keeping by ISPs. Instead, submissions made to the Committee have relied on anecdotes, with no supporting data or statistics on the prospects for improvement in crime clear-up rates, the nature of any crimes likely to be detected, the additional evidence expected to be obtained, or the increased probability of successful prosecutions.

Regulation of Investigatory Powers Bill (U.K.)

The Committee is no doubt well aware of the Regulation of Investigatory Powers (R.I.P.) Bill, recently introduced in the UK, which has been universally condemned as misconceived, inappropriate and draconian. It is also predicted to have a highly detrimental impact on the development of electronic commerce in the UK. The British Chambers of Commerce published a comprehensive report in June 2000 outlining the problems with the R.I.P. Bill [3].

While the ISP logging proposal does not go as far as the R.I.P. Bill, it would be one more step towards the same kind of unacceptable mass surveillance. One of the more offensive of the Bill's provisions is that it reverses the burden of proof in requiring encryption users to prove a negative, namely that they no longer have possession of an encryption key. Those who understand cryptographic science and technology are well aware of the problems that this provision creates, yet their legitimate concerns seem to have been ignored by lawmakers. EFA is concerned about several naive propositions that have been put to the Committee concerning the feasibility of decryption of communications by third parties. We are also concerned about suggestions by the National Crime Authority witnesses that legislation similar to the R.I.P. Bill might be appropriate for Australia. Strong cryptography is a vital tool for protecting privacy and security of communications, and any proposals to limit encryption strength are likely to jeopardise data security and increase the risk of cybercrime.

With respect, EFA urges the Committee to consult with security professionals on this issue rather than take advice from law enforcement agencies who clearly do not understand the technology.

Privacy Act Considerations

The potential for infringement of the Privacy Act (Cth) (as amended 2000) must also be considered. In particular we refer to the National Privacy Principles (NPP), Section 1 - Collection, which includes the following principles [4]:

1.2 An organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.
1.4 If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.

It is acknowledged that the Privacy Act seeks to balance the right to privacy with other public interests such as law enforcement objectives. In particular, NPP 2.1(h) allows personal information to be disclosed in defined circumstances for the secondary purpose of law enforcement.

However, EFA contends that a proposal for compulsory logging of communications traffic does not give rise to a secondary purpose within the meaning of the Act. Rather, the primary purpose of such record-keeping is the acquisition of mass surveillance data without consent, in case the data is required at some future time to incriminate a particular user. The law enforcement provisions of the Act are clearly intended only to allow law enforcement agencies to access specific records collected by an organisation for some other legitimate purpose.

Furthermore, it is questionable whether the disclosure of information from communications logs for data-matching purposes is a permitted purpose under the Act if it involves disclosure of information about large numbers of individuals who are of no interest to the relevant agency.

We contend that any system which monitors the communications of Internet users, without their consent and without a judicial warrant, would be contrary to the government's intent in expanding the coverage of the Privacy Act. It is our understanding that the Privacy Commissioner is currently preparing Guidelines to assist organisations in applying the National Privacy Principles.

Risk of Abuse

We also bring to the Committee's attention the recent revelation, before a Senate Estimates Committee, that almost one million disclosures of information or documents by carriers, or carriage service providers, under the provisions of Part 13 of the Telecommunications Act 1997 (Cth), had been made in the 1999/00 year. [5], [6]. This was a substantial increase over the figures for previous years. The level of disclosure, and the rate of increase, is illustrative of the manner in which surveillance is overused once the facility is put in place.

Logging and monitoring of Internet communications is more invasive than telephone records because the information can be used not only to determine the parties to a communication but may also be used to draw up interest profiles of users. This is clearly an infringement of an individual's right to privacy in terms of basic human rights.

Unlike telephone call records, most ISP logs, apart from those used to determine customer log-in durations and traffic volumes, are not intrinsic to the operation of the business. E-mail and web proxy logs are an ephemeral by-product of server operations, useful in the short term to diagnose technical problems, but otherwise routinely discarded. It is necessary to embark on a data-mining and data matching exercise in order to turn the raw log data into information about user behaviour. This factor is mentioned because it increases the risk that ISPs may hand over complete logs of all user transactions to law enforcement authorities rather than undertake the costly exercise of extracting and matching information about a particular individual of interest.

A Need for Proportionality and Effectiveness

EFA recognises and supports the need to counter criminal use of the Internet. We also accept that in countering such use it may sometimes be necessary to infringe the rights of honest Internet users in order to secure the prosecution and conviction of guilty parties. But in considering such action we believe that it is necessary to apply the following tests to any proposals that are made:

1. That they provide clear net benefit for society. That is, the benefits are clear and are achievable by the measures proposed, with the detrimental impact on the rights of honest citizens as small as possible and widely accepted as tolerable in the light of the gains secured.
2. That the measures proposed discriminate effectively between criminals and honest, law abiding citizens. Therefore, they should be balanced and should not, in an impetuous desire to counter crime, expose all honest Internet users to interference with the privacy of their communications.
3. That of all the options available they are optimal in the sense that they are the most effective in countering criminals while having the least impact on honest citizens and the lowest costs for taxpayers and businesses.
4. They should be based on clearly defined policy objectives which citizens understand and which command widespread public support.
5. They should be enforceable, transparent, and accountable.

Conclusion

We conclude that the ISP logging proposal is seriously deficient in that it will undermine important rights that exist to protect the innocent without any strong evidence that the measure will have the intended impact on criminal activity.

The measures proposed are indiscriminate and not effectively targeted at criminals with the result that they will undermine the confidence of honest Internet users in the safety, security and privacy that they should have when they use the Internet.

EFA supports measures to bring serious criminals to justice. However, we believe that a balanced approach must be used in the sensitive area of communications interception such that law enforcement agencies recognise the necessity of protecting fundamental human rights.

References

[1] Universal Declaration of Human Rights
     http://www.un.org/Overview/rights.html

[2] International Covenant on Civil and Political Rights
     http://www.unhchr.ch/html/menu3/b/a_ccpr.htm

[3] The Economic Impact of the Regulation of Investigatory Powers Bill British Chambers of Commerce, June 2000.
     http://www.britishchambers.org.uk/newsandpolicy/ict/ripbillsummary.htm

[4] National Privacy Principles
     http://www.privacy.gov.au/publications/npps01.html

[5] Anger at plundered phone records. The Age, Sunday 4 February 2001
     http://www.theage.com.au/news/2001/02/04/FFX73146QIC.html

[6] Senate Environment, Communications, Information Technology & the Arts Legislation Committee. Supplementary Budget Estimates 2000-2001 (30 Nov 2000). Australian Communications Authority, Answers to Questions on Notice, Question No. 57, Managed Regulation of Telecommunications.
     http://www.aph.gov.au/senate/committee/ecita_ctte/quest_answers/04aca.pdf

Appendix - Extracts from relevant International Instruments

Universal Declaration of Human Rights

Article 12:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

Article 19

Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.

International Covenant on Civil and Political Rights

Article 17

1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
2. Everyone has the right to the protection of the law against such interference or attacks.

Article 19

1. Everyone shall have the right to hold opinions without interference.
2. Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice.
3. The exercise of the rights provided for in paragraph 2 of this article carries with it special duties and responsibilities. It may therefore be subject to certain restrictions, but these shall only be such as are provided by law and are necessary:
(a) For respect of the rights or reputations of others;
(b) For the protection of national security or of public order, or of public health or morals.

In relation to Article 17, the United Nations High Commissioner for Human Rights noted:

In the Committee's view the expression "arbitrary interference" can also extend to interference provided for under the law. The introduction of the concept of arbitrariness is intended to guarantee that even interference provided for by law should be in accordance with the provisions, aims and objectives of the Covenant and should be, in any event, reasonable in the particular circumstances.