Several months after the Attorney-General initiated an inquiry on data retention, we finally got a definition of “data” this week. It’s all a bit of a shambles.
It’s become clear over the course of several months that the Attorney-General’s Department has produced what will become a classic how-not-to example of shaping public debate on important issues.
Its discussion paper on its 44 proposals for reform of national security laws to be considered by the Joint Committee on Intelligence and Security is, not to put too fine a point on it, a shambles, one that has created more problems than it solved for the government.
To be clear, Nicola Roxon and the government are to be commended for initiating a public inquiry into national security reforms. Previously, both this government and the Howard government took the view that even the most draconian national security laws should be rushed through parliament with as little scrutiny as possible. Roxon’s approach is a welcome change which, hopefully, will become the template for future amendments to national security laws.
But the whole exercise has been undermined, to the point of dysfunctionality, by the AGD, a department unused to public scrutiny or explaining and justifying its demands for extensions of national security powers. This was, after all, the department responsible for the hilarious “illegal fishing” justification for the WikiLeaks ASIO amendment.
As a result of considerable toing and froing between the government and the Joint Committee after Roxon’s initial attempt in May to establish the inquiry, the timeline for the inquiry was considerably extended and a discussion paper was prepared by AGD to supplement the terms of reference around the 44 proposals. Despite its length of over 60 pages, it was clear from the outset that the paper was badly put together. In particular, on the most controversial proposal of all, a two-year data retention scheme, there was, literally, no discussion at all.
That this omission was cleared through the various levels of AGD suggests real problems with that department’s basic political sensibility. Assuming it was cleared by Roxon’s office, it was also a startling omission there as well.
As the inquiry got under way and data retention began to garner the predictable attention, the magnitude of the error became clear. After repeated public complaints about the vague nature of the data retention proposal in particular from committee member John Faulkner, Roxon wrote to the committee to clarify the nature of the data retention proposal — stressing that she of course hadn’t made up her mind on the issue — and citing the European data retention directive as a model.
Roxon also had to clarify another proposal that was undiscussed in the Discussion Paper, criminalising failure to assist decryption, via a letter to a newspaper.
This week there was a further clarification, via Estimates. During the Legal and Constitutional Affairs Committee’s hearings with the AFP, AGD produced a definition of non-content data that would be captured by a data retention scheme in response to questions from Greens senator Scott Ludlam. This led to an exchange that seemed to infuriate AGD Secretary Roger Wilkins, over whether the URLs that an IP address visited would be captured by the definition. Wilkins insisted, threatening to resort to “words of one syllable”, that URLs fell outside the AGD’s and the AFP’s definition of non-content data.
This of course differs from the view of an agency in another portfolio, the Australian Securities and Investments Commission, which wants full retention of every single piece of internet traffic an IP address generates.
But the AG-portfolio definition aligns broadly with the EU data retention directive, which specifies about internet usage
(i) the date and time of the log-in and log-off of the Internet access service, based on a certain time zone, together with the IP address, whether dynamic or static, allocated by the Internet access service provider to a communication, and the user ID of the subscriber or registered user;
(ii) the date and time of the log-in and log-off of the Internet e-mail service or Internet telephony service, based on a certain time zone;
The problem in Europe, however, has been that in a number of instances the directive was misinterpreted — whether deliberately or otherwise — and URL data retained.
This definition might have been useful in the AGD submission to the inquiry (as distinct from the discussion paper), recently made available. In its section on data retention, in which AGD downplays the problematic nature of the EU directive, the department provides no definition whatsoever of “telecommunications data”.
But the AGD submission also re-confuses an issue that had seem clarified by the Attorney-General herself. In her letter to the Herald Sun, Roxon said about the proposal for the criminalisation of failure to assist with decryption that
“There is also no proposal to enforce people to give up passwords. There are already powers for law enforcement agencies to compel suspects to decrypt data such as child p-rnography held on a computer to turn unintelligible information into compelling evidence against these serious criminals. The question we’re asking the committee is whether this should extend to live communications like chat rooms for crimes like p-edophilia.”
This contradicted the discussion paper, which referred very vaguely to industry decryption. The AGD submission initially makes the same contrast Roxon does between decrypting material obtained under a warrant, currently allowed under the Crimes Act and inability to demand decryption live communications intercepted under a warrant, but then widens the proposal again by saying “a consistent approach to that contained in the Crimes Act would ensure that information lawfully accessed for national security or law enforcement purposes under the TIA Act was intelligible”.
Nor does it fit well with Roxon’s assurance “there is no proposal to enforce people to give up passwords”.
As Faulkner pointed out, one of the problems with having an inquiry into mere “proposals” is that, without detailed legislation to assess, everyone’s in the dark about exactly what they’re talking about. And until this week AGD has done little to shed any light.