Revisiting our submission to a previous inquiry into privacy, I think it has a very good section on data retention and some of the other proposals currently being considered in the National Security Inquiry.

Data Retention

Last month it was revealed that the Federal Government Attorney-General’s Department had been for some time considering the implementation of a legislatively mandated telecommunications data retention regime in Australia[1] and had been approaching Internet Service Providers (ISPs) with respect to the extent to which data could be retained. The compulsory standard to which the Department has signaled it was investigating equivalency with was the European Data Retention Directive.[2]

Due to the opacity of government enquiries,[3] and an as yet incomplete Australian proposal, this submission will concern itself with the possible implementation of a data retention proposal similar to the European model.

The European model which was brought into being after the perception of vulnerability following attacks in New York and Washington in September 2001, the Madrid train bombings in March 2004 and July 2005 London Bombings,[4] represents a shift towards an empowerment of law enforcement, beyond a tolerable level of interference with which citizens should be expected to oblige.[5]

Whilst the populace demand security, and politicians often engage in providing an illusion of security by extension of surveillance powers, increases in surveillance does not reduce crime.[6] What increased surveillance does do is intrude upon the privacy of innocents. There is no evidence whatsoever that data retention or increased surveillance has had any beneficial effect.

Human Rights & Data Retention

As the world progresses towards an information-oriented society an increasing degree of our social interaction occurs via telecommunication networks.

Socially, culturally, economically — we conduct our lives on these networks. We consult our lawyers; perhaps we consult a crisis line[7] or seek assistance from drug-counseling websites. The world economy depends on the Internet; everyday business is conducted over the Internet, with highly sensitive and confidential data being transmitted.

The widespread adoption and use of the Internet raises a relatively unanticipated potential for surveillance — dystopic scenarios of ‘Big Brother’ increasingly become more probable, due to the relative ease for centralised recording of all content and traffic data on the Internet. The same rhetoric used with the introduction of CCTV surveillance cameras is being used to justify the introduction of data retention, with an equal lack of evidence.

In face of opposition to retention of transmitted content, proponents of data retention laws propose to retain meta data – information about the content being transmitted rather than the content it self. However meta/traffic data is not, and should not be considered to be less invasive than content data, and should be afforded the same legal protections. Meta data may in fact require more stringent legal protection — it can be more effectively processed, and analysed automatically. When combined with other data, specific patterns, can be searched for then sorted to certain criteria, all of which is unachievable with content data — and this can be used to decipher and intrusively deduce a wide variety of information about an individual — analysis can reveal a ‘person’s political, financial, sexual, religious stance or other interests.’[8] However this analysis is not foolproof, and will lead to erroneous incrimination or suspicion. Fishing expeditions by law enforcement present problems, and there is also the issue that traffic data sometimes cannot be linked to a single individual, in that often affects a number of different users simultaneously.[9]

With data retention laws, the typical understanding of law enforcement takes on a new dimension, and the ability to track citizens far exceeds what we traditionally understand of the powers granted to law enforcement. Access to such a wide variety of data, by law enforcement and government officials, especially in secrecy, can and will be abused. Furthermore, the government in its enthusiasm for surveillance, could not adequately ensure that all data retained would not be at risk to abuse from third parties — either by malicious access to vast databases, or unauthorised misuse of traffic data. Prominent individuals for instance, or even politicians may be compromised, forced to resign or even blackmailed.

In addition to the issues regarding the invasion of privacy and abuse, there is the issue of cost. Any data retention scheme will have significant costs associated, whilst providing no commercial benefit to the CSP. CSPs must make substantial initial investments in infrastructure, staff and process development with ongoing operational costs, for instance maintenance and staff providing retrieval, verification and advice services to law enforcement — costs which must either be subsidised by the government itself, with marginal costs borne by telecommunication providers or the entire cost of compliance to be borne by telecommunications provider, which inevitably means increased costs for consumers, and significant cost burden on the CSP. If the government does initially sponsor such retention, history does show this situation is only temporary, eventually these costs become recognised as simply part of ‘doing business’ and costs of compliance — the inevitability of cutting corners with respect to security and integrity would then become a significant concern. After all, this data retained is of no use to CSPs.

It is important here, in determining whether blanket retention is justifiable, to distinguish between different approaches to data retention — that is, the difference between the mass, wide-scale, dragnet retention of data and targeted personal surveillance — surveillance or monitoring of an identified person, for specific reason, sanctioned by judicial warrant.[10]

Whilst the latter (with judicial oversight) is acceptable and necessary for the purpose of pursuing legitimate criminal investigation, the other creates unnecessary suspicion, fear and distrust. This has a ‘chilling effect’ on public discourse — a threat to open communication, to political activity. It also means that consumers may refrain from participating in legitimate and and lawful discussion and transactions in fear that these transactions may be logged and retained for years, potentially to be used against them. Indiscriminate retention is incompatible with human rights and for this purpose cannot be considered legal or legitimate.

It should be noted that it is an arms race between those who implement surveillance, and those who seek to avoid it. Where active surveillance is prominent, it encourages the use of counter-surveillance technologies and methods to help in retaining anonymity and the privacy of communication — this inevitably makes the job of legitimate law enforcement activity much more difficult and costly. People are already familiar with technologies such as Virtual Private Networks (VPNs), simply using HTTPS, or any protocols that support encryption achieve some of these aims. With IPv6 being deployed in coming years, encryption will become an integral party of Internet traffic.

The question is then, for what purposes can such data be used for by law enforcement, should it be retained. Of course, the prevention and investigation of serious criminal activity are the usual stated purposes of data retention regimes — however what serious criminal activity actually is, can often vary according to perspective. Without doubt, terrorist activity or the distribution of child sex abuse material are serious criminal activities, but will this also include other ‘cybercrime’[11] for instance copyright infringement?

The Cybercrime Convention

The debate in Australia surrounding retention of data began in the late 1990s, with the development of the Council of Europe Cybercrime Convention[12] (the ‘Convention’) — a treaty that although providing with the best of intentions a greater fluidity to cross-border law enforcement and co-operations, has serious flaws that do not adequately protect civil liberties and privacy to counterbalance potential abuses by law enforcement and government, that detracts from these ‘good intentions’.

The Convention grants law enforcement agencies power for direct access to entire ISP networks, effectively mandating mass surveillance — eaves dropping, interception of private email and any other communication, with insufficient specification in the way of strict procedural safeguards and limitations. Although this may not be a issue for nations with substantial protections, the agreement is being touted as a global standard, after the UN process to establish an International Cybercrime Treaty that adequately respected the centrality of human rights and the necessary safeguards[13] for any criminal justice system, failed.

There are significant concerns, especially regarding the authorisation and implementation of invasive surveillance regimes [like Carnivore, the FBI ‘internet tapping’ system,[14] now replaced by NarusInsight and rebranded as a slightly more benign ‘Digital Collection System’,] which is used for mass surveillance and monitoring of Internet communications in real-time within the US, the use of which was subject to court proceedings, in a class action lawsuit led by the Electronic Frontier Foundation (EFF).[15]

Should a data retention scheme ever be implemented, its expansion will be inevitable. The government cannot guarantee, that should it even implement a system with significant protections, that a subsequent government would not amend these safeguards or expand the scope of data retained. We already see the expansion of the European directive for Internet searching history,[16] how long is it before significantly more draconian measures are demanded, for instance the presentation and recording of identification at telephone booths, Internet cafes and wireless hot spots because the current retention regime is ‘incomplete’, and may be evaded? To pursue mass surveillance and retention of all telecommunications traffic data is to begin the journey down this path.

[1] Ben Grubb, ‘Inside Australia’s data retention proposal’ ZDNet 16 June 2010 <> at July 21 2010.

[2] Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications networks and amending Directive 2002/58/EC [2006] OJ L 105/54

[3] The Attorney General’s Department is refusing to release documentation as to what it has asked of ISPs in it’s enquiries, citing ‘unnecessary debate and could potentially prejudice and impede government decision making‘ — this is entirely unacceptable for a debate on an issue that potentially will unjustifiably and en masse, invade the privacy of the majority of Australians. The debate on data retention should be open, transparent and evidenced based;  Ben Grubb, ‘No Minister: 90% of web snoop document censored to stop ‘premature unnecessary debate’ The Sydney Morning Herald, 23 July 2010 <–premature-unnecessary-debate-20100722-10mxo.html> at 23 July 2010.

[4] In Australia, particular pressure has also come from bombings in Bali in October 2002 and October 2005.

[5] It also curious, that Europe in leading the way with the regulation of transaction logs within the Information Society with the establishment of data privacy regime that limited the collection, processing, retention and access to this information, had then implemented the legislative architecture for mass surveillance, despite significant public opposition and little evidence based justification.

[6] Martin Gill and Angela Spriggs, ‘Assessing the impact of CCTV’ Home Office Research Study 292 (2005) <> at 21 July 2010.

[7] For instance, the NSW Health Department supports a non-profit Rape Crisis Centre; <> at 21 July 2010.

[8] Patrick Breyer, ‘Telecommunications Data Retention and Human Rights: The Compatibility of Blanket Data Retention with ECHR’ European Law Journal 11(3) 3 May 2005, 365-375.

[9] Ibid.

[10] Except for exceptions created within, for instance, the Telecommunications (Interception Act) 1979 for the domestic Australian Secret Intelligence Organisation (ASIO).

[11] For instance in the Council of Europe Cybercrime Convention the inclusion of ‘copyright infringement’ is quite curious — whilst many nations may be a signatory and already have complied with Article 61 of the Agreement on Trade Related Aspects of Intellectual Property Rights (TRIPS), nations that may accede to this agreement may not have. Copyright is far from stable, and should not be included within such agreements. It comes as little surprise that groups like the Recording Industry Association of America (RIAA) welcomed the agreement.

[12] Council of Europe Convention on Cybercrime, opened for signature 23 November 2001 CETS 185.

[13] In compliance with the Resolution adopted by the General Assembly on the report of the Third Committee (A/55/593) 55/63 Combating the criminal misuse of information technologies that “[t]he fight against the criminal misuse of information technologies requires the development of solutions taking into account both the protection of individual freedoms and privacy and the preservation of the capacity of Governments to fight such criminal misuse”.

[14] American Civil Liberties Union ‘The Seven Reasons Why The Senate Should Reject The International Cybercrime Treaty’ 18 December 2003 <> at 21 July 2010.

[15] <>

[16] Written Declaration 29, Rule 123 of the Rules of Procedure on setting up a European early warning system (EWS) for paedophiles and sex offenders; Christian Engström, ‘Written declaration 29, for data retention of Internet searches’ 31 May 2010 <> at 21 July 2010.