The government appears confused about what data will be retained under its data retention scheme — but it could include your social media activity and your whole internet browsing history.
The mandatory data retention scheme to be imposed by the government may include information about your Twitter and Facebook profiles and about other social media platforms. And the Prime Minister caused confusion this morning when he said it may even extend to internet browsing history — a dramatic expansion of the scheme proposed by Labor in 2012.
Attorney-General George Brandis yesterday signalled other reforms proposed by the previous government and considered by the Joint Committee on Intelligence and Security in 2012-13 would be brought forward in a second tranche of legislation to be introduced when Parliament resumes later this month. Central to the reforms proposed by previous Labor attorney-general Nicola Roxon and considered by JCIS was a complete overhaul of the telecommunications interception framework in order to modernise it. Modernisation included bringing all carriage and carriage service providers — which includes social media service providers — within the ambit of Australian government regulation. The new framework is called the Telecommunications Sector Security Reform process, which has been underway since last year.
A data retention scheme that included social media platforms might not require actual content such as tweets but the retention of data linking a social media account to a source IP address, as well as frequency of account use and any other personal information acquired in relation to an account.
“It appears the Prime Minister did not understand the distinction between metadata and browser history, a threshold issue that has huge implications for the storage and cost requirements for a data retention scheme …”
But this morning confusion reigned over the definition of data that communications companies would be compelled to retain after the Prime Minister, apparently unsure of how far what he termed “so-called metadata” extended, told one media outlet it would include “the sites you visited”, while telling another it would only extend to data produced by ISPs rather than users. The matter was clarified a short time ago when the Prime Minister’s Office confirmed browsing history was not intended to be included.
It appears the Prime Minister did not understand the distinction between metadata and browser history, a threshold issue that has huge implications for the storage and cost requirements for a data retention scheme, as an individual’s browser history can include several hundred addresses per day. That suggests the level of understanding within cabinet of the proposal is remarkably poor for what is a major attack on privacy. However, the previous government also struggled with the definitional issue: months after it had initiated the JCIS inquiry, it clarified that its was considering the European Union’s data retention directive, which is limited only to metadata and not browsing history. Documents obtained from the Attorney-General’s Department by the Pirate Party in February last year also showed AGD officials struggling with logistical and definitional issues.
This lack of clarity is partly because the apparently simple line between metadata and content data is much less clear than it seems, especially for internet usage, but also because law enforcement, regulatory and intelligence agencies have differing views on what they want a data retention scheme to keep, with some pressing for content data as well as metadata.
The outgoing head of the Australian Security Intelligence Organisation, David Irvine, has been forthright in insisting that his agency wants data retention confined to a limited concept of metadata along the lines of the EU directive — but at a recent hearing of Senator Scott Ludlam’s telecommunications interception inquiry, even he wasn’t sure if an email subject line was metadata or content data. And the European experience shows what difficulties can occur if the definition isn’t sufficiently clear: a number of European countries, and a number of ISPs in Europe, interpreted the EU directive to mean content data as well as metadata.
But data about your Facebook, Twitter and Google account usage might yet end up being subject to a data retention scheme. Then it’ll be interesting to see if those companies pay any heed to the Australian government’s war on privacy.