Last month it was revealed that the Federal Government Attorney-General’s Department had been for some time considering the implementation of a legislatively mandated telecommunications data retention regime in Australia and had been approaching Internet Service Providers (ISPs) with respect to the extent to which data could be retained. The compulsory standard to which the Department has signaled it was investigating equivalency with was the European Data Retention Directive.
Due to the opacity of government enquiries, and an as yet incomplete Australian proposal, this submission will concern itself with the possible implementation of a data retention proposal similar to the European model.
The European model which was brought into being after the perception of vulnerability following attacks in New York and Washington in September 2001, the Madrid train bombings in March 2004 and July 2005 London Bombings, represents a shift towards an empowerment of law enforcement, beyond a tolerable level of interference with which citizens should be expected to oblige.
Whilst the populace demand security, and politicians often engage in providing an illusion of security by extension of surveillance powers, increases in surveillance does not reduce crime. What increased surveillance does do is intrude upon the privacy of innocents. There is no evidence whatsoever that data retention or increased surveillance has had any beneficial effect.
Human Rights & Data Retention
As the world progresses towards an information-oriented society an increasing degree of our social interaction occurs via telecommunication networks.
Socially, culturally, economically — we conduct our lives on these networks. We consult our lawyers; perhaps we consult a crisis line or seek assistance from drug-counseling websites. The world economy depends on the Internet; everyday business is conducted over the Internet, with highly sensitive and confidential data being transmitted.
The widespread adoption and use of the Internet raises a relatively unanticipated potential for surveillance — dystopic scenarios of ‘Big Brother’ increasingly become more probable, due to the relative ease for centralised recording of all content and traffic data on the Internet. The same rhetoric used with the introduction of CCTV surveillance cameras is being used to justify the introduction of data retention, with an equal lack of evidence.
In face of opposition to retention of transmitted content, proponents of data retention laws propose to retain meta data – information about the content being transmitted rather than the content it self. However meta/traffic data is not, and should not be considered to be less invasive than content data, and should be afforded the same legal protections. Meta data may in fact require more stringent legal protection — it can be more effectively processed, and analysed automatically. When combined with other data, specific patterns, can be searched for then sorted to certain criteria, all of which is unachievable with content data — and this can be used to decipher and intrusively deduce a wide variety of information about an individual — analysis can reveal a ‘person’s political, financial, sexual, religious stance or other interests.’ However this analysis is not foolproof, and will lead to erroneous incrimination or suspicion. Fishing expeditions by law enforcement present problems, and there is also the issue that traffic data sometimes cannot be linked to a single individual, in that often affects a number of different users simultaneously.
With data retention laws, the typical understanding of law enforcement takes on a new dimension, and the ability to track citizens far exceeds what we traditionally understand of the powers granted to law enforcement. Access to such a wide variety of data, by law enforcement and government officials, especially in secrecy, can and will be abused. Furthermore, the government in its enthusiasm for surveillance, could not adequately ensure that all data retained would not be at risk to abuse from third parties — either by malicious access to vast databases, or unauthorised misuse of traffic data. Prominent individuals for instance, or even politicians may be compromised, forced to resign or even blackmailed.
In addition to the issues regarding the invasion of privacy and abuse, there is the issue of cost. Any data retention scheme will have significant costs associated, whilst providing no commercial benefit to the CSP. CSPs must make substantial initial investments in infrastructure, staff and process development with ongoing operational costs, for instance maintenance and staff providing retrieval, verification and advice services to law enforcement — costs which must either be subsidised by the government itself, with marginal costs borne by telecommunication providers or the entire cost of compliance to be borne by telecommunications provider, which inevitably means increased costs for consumers, and significant cost burden on the CSP. If the government does initially sponsor such retention, history does show this situation is only temporary, eventually these costs become recognised as simply part of ‘doing business’ and costs of compliance — the inevitability of cutting corners with respect to security and integrity would then become a significant concern. After all, this data retained is of no use to CSPs.
It is important here, in determining whether blanket retention is justifiable, to distinguish between different approaches to data retention — that is, the difference between the mass, wide-scale, dragnet retention of data and targeted personal surveillance — surveillance or monitoring of an identified person, for specific reason, sanctioned by judicial warrant.
Whilst the latter (with judicial oversight) is acceptable and necessary for the purpose of pursuing legitimate criminal investigation, the other creates unnecessary suspicion, fear and distrust. This has a ‘chilling effect’ on public discourse — a threat to open communication, to political activity. It also means that consumers may refrain from participating in legitimate and and lawful discussion and transactions in fear that these transactions may be logged and retained for years, potentially to be used against them. Indiscriminate retention is incompatible with human rights and for this purpose cannot be considered legal or legitimate.
It should be noted that it is an arms race between those who implement surveillance, and those who seek to avoid it. Where active surveillance is prominent, it encourages the use of counter-surveillance technologies and methods to help in retaining anonymity and the privacy of communication — this inevitably makes the job of legitimate law enforcement activity much more difficult and costly. People are already familiar with technologies such as Virtual Private Networks (VPNs), simply using HTTPS, or any protocols that support encryption achieve some of these aims. With IPv6 being deployed in coming years, encryption will become an integral party of Internet traffic.
The question is then, for what purposes can such data be used for by law enforcement, should it be retained. Of course, the prevention and investigation of serious criminal activity are the usual stated purposes of data retention regimes — however what serious criminal activity actually is, can often vary according to perspective. Without doubt, terrorist activity or the distribution of child sex abuse material are serious criminal activities, but will this also include other ‘cybercrime’ for instance copyright infringement?
The Cybercrime Convention
The debate in Australia surrounding retention of data began in the late 1990s, with the development of the Council of Europe Cybercrime Convention (the ‘Convention’) — a treaty that although providing with the best of intentions a greater fluidity to cross-border law enforcement and co-operations, has serious flaws that do not adequately protect civil liberties and privacy to counterbalance potential abuses by law enforcement and government, that detracts from these ‘good intentions’.
The Convention grants law enforcement agencies power for direct access to entire ISP networks, effectively mandating mass surveillance — eaves dropping, interception of private email and any other communication, with insufficient specification in the way of strict procedural safeguards and limitations. Although this may not be a issue for nations with substantial protections, the agreement is being touted as a global standard, after the UN process to establish an International Cybercrime Treaty that adequately respected the centrality of human rights and the necessary safeguards for any criminal justice system, failed.
There are significant concerns, especially regarding the authorisation and implementation of invasive surveillance regimes [like Carnivore, the FBI ‘internet tapping’ system, now replaced by NarusInsight and rebranded as a slightly more benign ‘Digital Collection System’,] which is used for mass surveillance and monitoring of Internet communications in real-time within the US, the use of which was subject to court proceedings, in a class action lawsuit led by the Electronic Frontier Foundation (EFF).
Should a data retention scheme ever be implemented, its expansion will be inevitable. The government cannot guarantee, that should it even implement a system with significant protections, that a subsequent government would not amend these safeguards or expand the scope of data retained. We already see the expansion of the European directive for Internet searching history, how long is it before significantly more draconian measures are demanded, for instance the presentation and recording of identification at telephone booths, Internet cafes and wireless hot spots because the current retention regime is ‘incomplete’, and may be evaded? To pursue mass surveillance and retention of all telecommunications traffic data is to begin the journey down this path.
 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications networks and amending Directive 2002/58/EC  OJ L 105/54
 In Australia, particular pressure has also come from bombings in Bali in October 2002 and October 2005.
 It also curious, that Europe in leading the way with the regulation of transaction logs within the Information Society with the establishment of data privacy regime that limited the collection, processing, retention and access to this information, had then implemented the legislative architecture for mass surveillance, despite significant public opposition and little evidence based justification.
 Patrick Breyer, ‘Telecommunications Data Retention and Human Rights: The Compatibility of Blanket Data Retention with ECHR’ European Law Journal 11(3) 3 May 2005, 365-375.
 Except for exceptions created within, for instance, the Telecommunications (Interception Act) 1979 for the domestic Australian Secret Intelligence Organisation (ASIO).
 For instance in the Council of Europe Cybercrime Convention the inclusion of ‘copyright infringement’ is quite curious — whilst many nations may be a signatory and already have complied with Article 61 of the Agreement on Trade Related Aspects of Intellectual Property Rights (TRIPS), nations that may accede to this agreement may not have. Copyright is far from stable, and should not be included within such agreements. It comes as little surprise that groups like the Recording Industry Association of America (RIAA) welcomed the agreement.
 Council of Europe Convention on Cybercrime, opened for signature 23 November 2001 CETS 185.
 In compliance with the Resolution adopted by the General Assembly on the report of the Third Committee (A/55/593) 55/63 Combating the criminal misuse of information technologies that “[t]he fight against the criminal misuse of information technologies requires the development of solutions taking into account both the protection of individual freedoms and privacy and the preservation of the capacity of Governments to fight such criminal misuse”.
The following documents were received from the Attorney-General’s Department under the Freedom of Information Act (1982). They pertain to a secret meeting between copyright industry lobbyists and Internet Service Providers (ISPs). Much of this information has not been previously made publicly available. All information made accessible to me is now publicly available.
Analysis will follow in time. Those that know, understand my current personal situation precludes me from committing time to commenting and analysing the issue. For all comments, I’d recommend contacting Pirate Party Australia as I am informed they will now analyse the documents.
UPDATE: Renai Le May at Delimiter has quickly picked up on one of the central themes of the documents – consumers were and continue to be excluded from the process. This exclusionary approach is standard practice for the Attorney-General’s Department.
UPDATE 2: Mozart has come straight to the point — what does transparency and open government look like in modern Australia?
UPDATE 3: Michael Lee at ZDNet has a good summary of the issues and themes within the released documents.
On the August 24, The Australian revealed that the Attorney General’s Department was convening meetings with stakeholders — except that it had excluded one very important group. You.
The copyright lobby and its many faces and fronts are being given an audience with the Attorney General’s Department and platform on which to pressure ISPs into an industry code for ‘dealing’ with file sharers. Of course, we know what that means – the termination of access on their accusation.
What is very worrying, is that this is being conducted behind closed doors and that the government seems very willing to place the legislative gun to the head of service providers. If there is one thing that the government is transparent about, it is that it will pull that trigger, in attempting to enforce an antiquated monopoly mechanism, with no regard to clear issues with human rights and civil liberties.
We cannot rely on ISPs to protect consumers — when push comes to shove, they will capitulate, so it is important that civil society and political groups and parties all sing the same song — termination, suspension or limitation of access to the Internet for allegations of copyright infringement, or even breaches, are not acceptable or proportional.
Below is a letter sent to the Secretary of the Attorney General’s Department, Mr Wilkins.
Dear Mr. Wilkins,
I write to you seeking clarification of certain issues raised in an article authored by Andrew Colley, published in The Australian on August 24, 2011 entitled ‘A-G in call for talks on online piracy’.
The article cites a spokesperson for the Attorney General’s Department indicating that a meeting had been convened in order to garner the differing positions, need and scope of any governmental intervention.
It is very concerning that there has been no public mention of the meeting convened between stakeholders and that amongst the published list of invited participants there appears to be no representation from consumer organisations or civil society – in fact, the meeting appears to be convened with the specific intention to exclude these stakeholders.
It is even more concerning that organisations like the Australian Content Industry Group, and the dubious studies they have commissioned, which have subsequently been used by the Attorney General as justification for the policy direction of the Australian Government and only released by the organisation after Freedom of Information requests were made by myself to the department, are being given unfettered access, facilitated by the Attorney General’s department to lobby government and industry for the development of an industry code, or to effect legislative changes.
The willingness of government ministers and the Attorney General to so readily facilitate the development of disconnection mechanisms for alleged copyright infringement like those operating in New Zealand, the UK or France, is worrying.
The termination or limitation of access to the Internet on the grounds of violation of intellectual property laws, in this case, copyright, is completely disproportionate, ineffective and a violation of human rights.
That this is done without the oversight or inclusion of civil society in an open forum raises questions regarding the integrity of the democratic process and the willingness of the government to engage and listen to alternative perspectives, economic analysis and academic study.
It is imperative that the government acts in the interest of Australian citizens, recognising the importance of Internet access, protecting the rights of Australian citizens to seek and impart information, knowledge and culture, and works to safeguard due process and fundamental rights. It can do this by being transparent and open in its decision-making and policy development process.
In what could potentially be very big news, and a first step in actively pushing back the copyright monopoly, the Advocate General Cruz Villalón of the Court of Justice of the European Union has given opinion that states:
Advocate General Cruz Villalón considers that the installation of that filtering and blocking system is a restriction on the right to respect for the privacy of communications and the right to protection of personal data, both of which are rights protected under the Charter of Fundamental Rights. By the same token, the deployment of such a system would restrict freedom of information, which is also protected by the Charter of Fundamental Rights.
Rick Falkvinge writes:
This means that Eircom can no longer be forced to eavesdrop on its customers to filter out certain parts, and it means that Danish ISPs can no longer be mandated to censor The Pirate Bay and AllOfMP3. Black Internet in Sweden can give the finger to the court order to block The Pirate Bay. Many, many aggressions from the copyright industry stand to just fall flat on their face.
Christian Engström relays a comment from Slashdot user CrystalFalcon which very succinctly relays what the opinion of the Advocate General actually means:
One, no court may impose an ISP with an order to filter, in particular not because of enforcement of copyright monopolies;
Two, such filtering is a reduction of fundamental rights, so
Three, if laws are written requiring an ISP filter or block the internet, such laws must conform to very strict criteria that are applied to laws limiting fundamental rights. They must be effective, they must be proportionate, and they must be defensible in a democratic society. While this sounds like political wishywashing, it has some very specific meanings. It is useful to compare to what laws have been written to prevent terrorism: these laws are held to that standard, which the copyright industry wants badly to supersede. The Attorney General also goes into detail how such laws must be transparent and predictable.
What this does not say is that:
Four, no censorship must ever take place.
Five, no ISP may choose to limit what they present as “The Internet”.
Six, it has been the modus operandi of the copyright industry to threaten ISPs with “block to our wishes or we’ll take you to court”. This has been their standard operating procedure for the past couple of years, in order to establish enough precendents to get them written into law. Today’s verdict, or potential verdict, gives those ISPs the power to say “go play on the highway, parasites, we have an order from the highest possible court saying no court can force us to do that. We care more about our customers than about obsolete irrelevants”.
Seven, this is the highest court in Europe, referring to the (equivalent of) Constitution of Europe. Thus, there are no courts and no laws that can supersede this. No EU Directive can change this (potential) verdict. The way forward for the copyright industry appears permanently blocked; I hold it as absolutely improbable that they’ll get paragraphs in the referred European Charter of Human Rights that put the copyright monopoly before the sanctity of correspondence, of personal data, and freedom of information.
This on the day New Zealand’s Government have passed insidious disconnection laws that violate human rights.
The Washington Pirate Party has launched ‘pirate.is‘ a blogging service not unlike any other, based on WordPress, with one important distinction — it takes advantage of the legal framework and protections provided by the Icelandic Modern Media Initiative by being hosted in Iceland, that provides:
— Whistle-blower protection
— Source protection
— Source-journalist communications protection
— Limiting prior restraint
— Protection of intermediaries (ISPs)
— Protection from “libel tourism” and other extrajudicial abuses
— Statute of limitations on publishing liabilities
— Process protections
This framework is something that almost all Pirate Parties, including ours, advocate at a national level.