A galaxy slowly turns in the vast blackness of the cosmos. The scale is breathtaking. Boundless. Slipping past stellar nurseries light years high, we come to a bright patch of sky suspended on an enormous spiral arm. Deeper still, ice worlds and gas giants flash by, and the luminous mother of life flickers in the approaching distance.
A sudden speck of blue catches our eye, and in an instant we are watching the earth turn. Clouds trail lazily over the Himalayas as the eyelid of dusk creeps across the Indian subcontinent. There is a glow from the night side, and squinting we can make out miniscule flecks of light, our human cities.
Here we all are. Every man, woman and child that has ever lived, every war fought, cheque cashed, every first kiss, last goodbye and longed-for embrace, every kingdom and every church, on this ball of rock orbiting a giant nuclear furnace, spiralling endlessly through space.
We move closer still, to a wide and barren continent, past cloud cover and before us lies a city, relatively small on this planet, populated by low office buildings and distinguished by a sizeable lake. We swoop in, birdlike, through the window of one of these buildings, which sits squat on a hillock, and breathing heavily behind an expensive looking desk is none other than our own Attorney General, George Brandis, who, blissfully unaware of his situation in the universe, is hard at work pushing new legislation to capture and retain the metadata of his fellow countrymen.
(This article contains many references to the Report of the Inquiry into Potential Reforms of Australia’s National Security Legislation, where there is a number or text enclosed in brackets like so: (5.17), refer to the appropriate section of the report.)
Attorney General George Brandis
What is metadata?
It seems the Attorney General, despite the fervency of his evangelism for the cause, is himself unsure. A strange situation no doubt, to find one of the most powerful men in the country advocating for changes to the fabric of society while being out of the loop as to what those changes actually entail.
Metadata is data about data. There are two types, structural metadata, about the design and specification of data structures or “data about the containers of data”; and descriptive metadata, about individual instances of application data or the data content.
Descriptive metadata is typically used for discovery and identification, as information used to search and locate an object such as title, author, subjects, keywords or publisher. Structural metadata gives a description of how the components of an object are organised. An example of structural metadata would be how pages are ordered to form the chapters of a book.
In the case of government data retention, the data most commonly stored is that of telephone calls made and received, emails sent and received, location data and websites visited.
What is “telecommunications data”?
Nicola Roxon, to the Attorney General: “Telecommunications data is information about the process of communication, as distinct from its content. It includes information about the identity of the sending and receiving parties and related subscriber details, account identifying information collected by the telecommmunications carrier or ISP to establish the account, and information such as the time and date of the communication, its duration, location and type of communication. (5.7)
An example of metadata.
The proposed legislation, based on the definitions above, would give the Australian government unprecedented access to nearly every aspect of the online activity of it’s citizens, and the ability to infer a disturbingly accurate “pattern of life” from the collected data.
For example, you may have your cellphone’s GPS services enabled to use Google Maps. That data, in conjunction with your phone records and timestamps on the above data could clue in a security agency as to your most likely whereabouts on any given day. This poses an enormous risk to freedom of the press, as governments could use these capabilities to track journalists and their sources to frequented meeting places, limiting concerned parties’ abilities to bring sensitive information to the public for democratic review.
“The database will contain every page they accessed – every article they’ve read on a newspaper site, any online political activity, any purchases on ebay, books bought from amazon, Facebook pages visited etc.” – Ian Quick (5.68)
The collection of metadata could and likely would reveal highly intimate details of a persons life, including religious and political affiliations, sexual orientation, health issues, a person’s circle of friends, their address, partner, their age and any affairs being conducted by the individual. (5.70-71)
Electronic Freedom Australia notes that the distinction between metadata and content is spurious at best when metadata can be used as content [and in many cases can provide more detailed information about a target.] (5.69)
This is supported by former NSA contractor Ed Snowden’s comments at an Amnesty Intl. event in the US , where he stated that metadata collection is more intrusive than listening in on calls directly: “Metadata is what allows an actual enumerated understanding, a precise record of all the private activities in all of our lives. It shows our associations, our political affiliations and our actual activities.”
In the words of former NSA/CIA Director Michael Hayden:
“We kill people based on metadata.”
So what exactly do the new laws propose?
According to the Report of the Inquiry into Potential Reforms of Australia’s National Security Legislation Parliamentary, by the Joint Committee on Intelligence and Security, the legislation may grant ASIO and related security organisations the ability to use third party computers and devices to access information on a first party machine. This has been categorically denied by the Attorney General’s department, stating that “the warrant would not authorise ASIO to obtain intelligence material from the third party computer or the communications in transit”.
All well and good, but considering the implementation of laws late last year that prevent journalists from “disclosing information relating to ‘special intelligence operations’”, how would the public find out if abuses of these powers were taking place? It’s unlikely a journalist will risk ten years imprisonment to bring that information to light. This imposition on the freedom of the press serves to make the activities of intelligence agencies entirely opaque to the people affected, and has grave implications around the ability of government to abuse it’s citizenry without accountability.
It’s also unclear as to whether information about potential abuses could be used to prosecute those involved, with a recommendation proposed that would involve “amending the ASIO Act to create an authorised intelligence operations scheme. This will provide ASIO officers and human sources with protection from criminal and civil liability for certain conduct in the course of authorised intelligence operations.” (xvi, 10)
The legislation also allows security personnel to use “reasonable force” at any stage in the execution of a warrant, recommends establishing an offence for failure to assist in the decryption of communications (xvii, 15) and tailored data retention periods for up to 2 years (xvii, 15), among other provisions in order to “enable interception and access to communications in order to investigate serious crime and threats to national security.” (Page 23)
Fears about the above stated powers and the implications thereof have been echoed by several EU countries. The Romanian Court, with regards to local metadata retention, held that a “continuous legal obligation” to retain all traffic data for six months was incompatible with the rights to privacy and freedom of expression. (5.26)
In Germany, the Constitutional Court described metadata retention as a “serious restriction of the right to privacy” and stated that a “retention period of six months [was] at the upper limit of what should be considered proportionate”. (5.27)
The Czech Constitutional Court, in analogous statements, described misgivings about the potential abuses of these powers: “Individual citizens had insufficient guarantees against possible abuses of power by public authorities.” (5.28)
The EU Court of Justice found that the 2006 European Data Retention Directive violated citizens “fundamental rights to respect for private life and to the protection of personal data”.
With such strident international condemnation, it seems to go without saying that any committee responsible for review of similar legislation would be given express access to details of the proposed changes and sufficient resources to complete a sincere and detailed examination of the material. Oddly enough, these criteria were not met: “Having commenced the inquiry at the beginning of July 2012, the Committee was asked to report if at all possible by the end of the calendar year. This afforded the Committee a highly compressed and unachievable time frame of less than six months to examine what is an extensive list of potential reforms, some of which are far reaching.” (Introduction, Page 3)
It seems that the government also failed to provide the committee with the relevant draft legislation, leaving those involved to rely on speculation and inference rather than an appraisal of the raw data: “The Government sought the Committee’s views on a mandatory data retention regime. The Committee did not have access to draft legislation. Furthermore, the inadequate description of data retention in the terms of reference and discussion paper also impaired both the public discussion and the Committee’s consideration of the data retention issue.” (1.29)
What do the public have to say about it?
The response to the legislation from organisations and citizens across the nation has been almost uniformly negative. Usually sympathetic to the Liberal government’s aims due to ideological crossovers, the Institute of Public Affairs commented that “[the] imposition of such an extraordinary, systematic and universal program would render any presumed or existent Australian right to privacy empty,” going on to say that “data retention would be a continuous, rolling, systematic invasion of the privacy of every single Australian, only justified because a tiny percentage of those Australians may, in the future, be suspects in criminal matters. Indiscriminate data retention is an abrogation of our basic legal rights.” (5.42-43)
Many of the criticisms directed at the legislation came from civil rights groups and other parties interested in maintaing internet security and privacy. A selection of these criticisms reveals that the opacity of the legislation, its potential to be indefinitely expanded, and the relationship it has to public interest were among the concerns expressed:
From the Human Rights Law Centre : ”the Government has not provided any significant information to show that there is an overriding public interest in implementing a data retention system.” (5.46)
From Liberty Victoria: “it is inevitable that, once a database of retained communications data is established, efforts will be made to extend its use for new purposes.” (5.50)
Courtesy of Ms. Stella Gray: “Pre-emptive surveillance of an entire population does away with the legal principle of the presumption of innocence.” (5.53)
A former iiNet lawyer noted that “the Data Retention Bill does not impose any limitation on access to the data retained by other legal avenues. This means there’s nothing stopping your ex-husband, your employer, the tax office or a bank using a subpoena to get access to that data if it’s relevant to a court case.”
Additional concerns were raised about the potential of the stored data to become a ‘honeypot’ for criminals and identity thieves. The database would appear to criminals, identity thieves and foreign states, and even terrorists themselves as a veritable bounty of useful information, and thus increase the likelihood of non-state intrusion into citizens privacy, the potential for theft of information and the potential for criminal misuse of the information gathered. Reports of “significant data breaches” occur “almost daily”, which almost guarantees that the retained data would be compromised. In recent months, Twitter, Yahoo and LinkedIn have had customer data stolen. (5.122)
The Australian Privacy Foundation has made statements to the committee to that effect, saying that “Mandating the creation and storage of records of communications that would not otherwise be kept increases risk and vulnerability, creating additional ‘honeypots’ of valuable personal information that would be a target for hackers and risk multiple abuses.” (5.114)
Members of the public have aired similar concerns: “Data retention measures make our society less secure, by creating enormous silos of identifiable information in readily attackable locations. One single security breach risks losing everything, on a scale that leaves the United States’ experience with Wikileaks in the shade. It is contemptible that the Government has learned no lessons from its own Wikileaks exposure, and still believes that concentrating large troves of leakable, attackable private data is a good idea.” (5.129)
It seems that the government is reticent to speak about the potential for identity theft in public, at speeches and conferences. This seems indicative of a strong bias towards the implementation of the laws. What other reason would the government have in tacitly omitting potential downfalls of the legislation?
The public may be left in the dark as to the nature, scope and consequences of any data breaches that do occur, as under the law there is no requirement to notify the OAIC (Office of Australia Information Commissioner) or any other individual or organisation in the event of such a breach.
Will it work?
The question of how efficacious metadata retention is in solving and preventing crime is a raging debate. Electronic Freedom Australia noted that it was “highly questionable” whether data retention would aid in the investigation of terrorism, organised crime or other serious illegal activities: “It is worth noting that determined criminals will have little difficulty disguising or anonymising their communications. There are many relatively simple and effective tools available that allow for the protection of communications from surveillance.” (5.167)
This is an excellent point. The proposed legislation is no secret. Those in the criminal world will have no doubt heard of the potential for their activities to be monitored and have likely already taken steps to anonymise their online behaviour. Even in the event that the scope of the metadata retention reforms is so broad that it includes tools for opening encrypted chats and messaging services, it is not unlikely that tech savvy individuals on the wrong side of the law will be developing tools to combat this unwanted intrusion, rendering the legislation effectively useless in dealing with its raison d’être: combating terrorism and serious crime.
An unintended consequence of the introduction of metadata retention could be the opposite of what it is designed to achieve: a progressive opacification of the internet, with more and more users turning to encrypted browsing and communication, thereby shrinking the usable pool of data.
“Why do we imagine that the criminals of the greatest concern to our security agencies will not be able to use any of numerous available means to anonymise their communications or indeed choose new services that are not captured by legislated data retention rules?”
This quote from Communications Minister Macolm Turnbull, in addition to his recently revealed use of the messaging app Wickr, which provides a platform for anyone to send and receive self-deleting encrypted messages, seems to indicate that the reforms are likely to bring about little change in the positive ability of law enforcement agencies to stop criminal activity.
Add to this comments made by Blueprints for Free Speech, indicating that “there is no evidence to suggest data retention would assist with the prevention of crime or terrorism. A 2011 study of Germany’s Data Retention Directive found it had no impact on either the effectiveness of criminal investigation or the crime rate. Further, the study specifically found that countries without data retention laws are not more vulnerable to crime.”
The official rhetoric around this issue builds a picture of the nation as fundamentally imperilled by the absence of data retention. Are we to accept that we are, and have been since the rollout of the internet in the mid nineties, in a situation of extreme risk from technologically adept criminals? The fact that the fabric of our society has not been eroded over the last twenty or so years seems to indicate that the risk may not be as pressing as the advocates of metadata retention would have us believe. According to one analysis conducted by Arbeitskreius Vorratsdatenspeicherun of the effectiveness of data retention in Germany: “Blanket data retention can actually have a negative effect on the investigation of criminal acts. In order to avoid the recording of sensitive and personal information under a blanket data retention scheme, citizens increasingly resort to internet cafes, wireless internet access points, anonymisation services, public telephones, unregistered mobile telephone cards, non-electronic communications channels and suchlike. This avoidance behaviour can not only render retained data meaningless but even frustrate targeted investigation techniques (eg wiretaps) that would possibly have been of use to law enforcement in the absence of data retention. Because of this counterproductive effect, the usefulness of retained communications data in some investigation procedures does not imply that data retention makes the prosecution of serious crime more effective overall.” (5.171)
These comments stand in stark opposition to statements made by major Australian law enforcement agencies, claiming that “loss of access to such data, for technical or legal reasons, would result in a loss of fundamental investigative capability and the ability of security and law enforcement agencies to function effectively.” (5.183)
If this is the case, are we to infer that currently and until the metadata laws are passed, and extending back to the point of their creation, Australia’s major security agencies have been functioning ineffectively? That they have had no fundamental investigative capacity? That, according to the Australian Federal Police, they have been suffering from a “ limited ability to conduct thorough and complete investigations?”
This is obviously nonsense. If it were so, one could make the case that all taxpayer funding of these agencies should be refunded to the citizenry due to the inability of these agencies to perform as intended. It seems impossible to reconcile statements made by Tony Abbott that Australia boasts the most advanced and efficacious security agencies in the world with the above statements. They cannot be true simultaneously.
There is a logistical side to the storage of vast amounts of data that must be considered alongside ethical and administrational concerns. The data must be stored securely, with no chance of a breach. It seems the only way to accomplish this would be to use air gapped machines (computers that have never been connected to the internet) and limit access to on site retrieval with appropriate security clearances. The cost of transferring data collected from the web securely to such a facility would be immense. If the computers are connected to the internet in order to avoid this logistical nightmare, there is a risk of intrusion by non-state actors.
According to the Pirate Party, backing up the data collected would involve a more complex system than the norm, including a means of ensuring that backups could not be ‘restored’ to another system by someone familiar with the system in order to freely access that data. (5.140)
The sheer volume of data collected could also “swamp” law enforcement agencies, rendering them less able due to the constraints of having to sift through mountains of information. (5.154) Ms. Stella Gray noted that “dozens of analytic trackers (measuring page view stats) and advertising servers all run in the background of many websites people visit on a daily basis. That is a lot of data that CSP’s will be trusted to store, and a lot of data that law enforcement will need to sift through every time they are suspicious of someone.”
Answering the questions posed by the Australian Law Council seems to be a good start in addressing some of these concerns. The questions are as follows:
- Once the data has been retained, how will it be matched with a particular person on communication?
- How will it be verified, and if it is used as evidence in court, how will it be protected from public disclosure?
- In addition, how will authorised agencies deal with the sheer volume of data retained when attempting to identify and request the data need for a particular investigation?”
Can we trust our government to use these powers responsibly?
The NSA’s data centre in Utah.
In an article on The Intercept by investigative journalist Glenn Greenwald, who Edward Snowden selected to report on his world-changing revelations about the mass-surveillance systems being created by the NSA and other international partners, documents released by Snowden indicate that the government of New Zealand worked in secret to initiate a new metadata collection program while publicly denying any such activity.
The documents demonstrate that the GCSB, New Zealand’s spy agency, implemented Phase I of the mass surveillance program codenamed “Speargun” at some point in 2012 or early 2013. “Speargun” involved covert installation of “cable access” equipment, which appears to refer to surveillance of the Southern Cross cable, the nation’s main undersea cable link, which carries the vast majority of internet traffic in and out of New Zealand.
Upon completion of Phase I, the program moved to Phase II, whereby metadata probes were to be inserted into those cables.
Contrary to prior statements, NZ Prime Minister John Key admitted that the GCSB did, in fact, plan a program of mass surveillance aimed at his own citizens, but claimed that he rejected the program prior to it’s implementation. This is again in contradiction with the actual documents, which can be viewed on Greenwald’s article linked above. The documents, from 2012, state that the project was at that time “underway”, and that Phase I had been achieved.
Considering Australian and New Zealand involvement and complicity in the “Five Eyes” network of communications data collection, it is not unlikely that a similar situation is taking place within our own borders as you are reading this article. If that is the case, then the question we must ask of ourselves and our government is not necessarily, “can they be trusted”, but rather, “how deep does the rabbit hole go?”.
We should also not divert our attention from the long term potentialities of abuse. This comment from Dr. James Dowty perfectly illustrates why that is.
“Once the data retention begins, legislative change could immediately give an unscrupulous government access to the web histories, emails and text messages of their political opponents and constituents. While the current government might be staunchly opposed to such misuses of the retained data, there is no guarantee that the government of 2050 will be as trustworthy.” (5.78)
Make no bones about it, metadata retention is mass surveillance. It can be used to form a dataset, a pattern of life indicating your movements, interests, affiliations and beliefs. You will be paying for this intrusion of privacy through rises in service bills, a kind of “tele screen tax” if you will. You will be at a higher risk of identity theft through the creation of ‘honeypots’ of data, irresistible to organised criminals and foreign actors. Your basic rights to privacy, to freedom of speech, to live as a dignified human person, are being infringed upon in ways that do not preclude a broadening of the scope of these abuses.
The connections between ASIO and the NSA mean that the strengthening of Australia’s surveillance capabilities is a by proxy strengthening of the NSA, an organisation which has used the Five Eyes and PRISM projects to conduct economic espionage, among other ethically questionable behaviours.
Even the supporters of the legislation don’t buy into their own rhetoric, with members of the Liberal party using Wickr on a daily basis, showing the world that privacy is of the utmost importance even to those who adamantly maintain that it isn’t.
With unanimous condemnation from leading human rights groups around the world, with a public backlash on a scale almost never witnessed, with the potential for so much to go horribly wrong, we simply must put a stop to this.
You and I, human beings in the vastness of the cosmos, on the precipice of becoming a spacefaring civilisation have a duty not only to each other but to our children, and their children, to uphold the freedoms and rights of our fellow men and women.
Here we all are. We are all authors of the human story.
Let’s write one we can live in, in peace, and freedom.
This article was originally posted on the author’s blog, which can be found here.