The fate of a bill that potentially opens the door to mass surveillance of internet usage is expected to be determined later this week when the Joint Select Committee on Cyber-Safety reports on the Cybercrime Legislation Amendment Bill 2011
The Bill is intended to enable Australia to accede to the European Convention on Cybercrime by, inter alia
, establishing processes enabling foreign governments to demand the preservation and handing over of internet and telecommunications usage data relating to online crime. However, a range of groups have drawn attention to what is either intentional overreach in the bill or poor drafting that would open the way for authorities, at the behest of foreign governments, to demand the preservation of all user information by ISPs and telcos.
After the bill was introduced in June, a rushed inquiry by the joint committee (chaired by Labor Senator Catryna Bilyk, deputy chair Liberal MP Alex Hawke) was announced, with stakeholders given just five working days to comment on the bill. Nonetheless, bodies like the Australian Privacy Foundation, the law Council and civil liberties groups drew attention to a number of problems
- the bill enables preservation orders to apply to the entire service of a telecommunication provider, meaning all records of all customers of a provider like Optus or Bigpond could be the subject of a single order;
- any Commonwealth agency, regardless of its role, can issue preservation orders, not just law enforcement or intelligence agencies;
- even foreign countries that have not acceded to the Convention on Cybercrime – which has an explicit carve-out for human rights activities – can issue data preservation demands and have them honoured by Australian officials;
- there are no restrictions on how information is used once handed over to a foreign country as the result of a warrant;
- the critical “dual criminality” provisions, which require that material only be preserved and handed over to a foreign government for crimes in that country that have equivalent crimes here, are so poorly worded as to allow any significant contravention of any foreign law to form the sufficient basis for an order, including political offences. Coupled with the absence of a requirement for the foreign country to be a signatory to the Convention, this means a country like China could use the bill to demand the preservation and transfer of data to enable the prosecution of dissidents. And countries that have criminalized file sharing (rather than it being only a civil offence) could demand data to prosecute people at the behest of the copyright industry;
- the bill also fails to distinguish between “traffic data” and the actual content of internet and phone usage;
This last point was a significant issue raised by the Privacy Foundation
, who pointed out in their evidence at the committee’s hearing a fortnight ago that traffic data, unlike content data, can be accessed by authorities without a warrant. However, traffic data is an increasingly powerful tool for tracking people’s communications.
The Foundation's Nigel Waters told the Committee:
"...traffic data is nowadays much more revealing about individuals' communications than it used to be. In the old days it was simply who phoned what number at what time. Now the traffic data, particularly in relation to internet use, is potentially much more revealing of the content of individuals' communications or the likely content of it and therefore the strict rules that apply at the content end under the interception regime do not apply at the traffic end of the spectrum."
Whether the flawed nature of many of the provisions reflect sloppy drafting or intentional overreach is unclear, but the current bill has been in preparation since the Government announced its intention to accede to the Cybercrime Convention in 2010, and reflects similar previous bills, suggesting that drafting flaws aren't the whole story. And bear in mind this isn’t the only ongoing data retention issue – long-term data retention is still in play with the Government continuing to consider a blanket requirement that ISPs retain all traffic data for up to two years.
One of the arguments used to justify such a wholesale assault on privacy is that traffic data is somehow more innocuous than content data.
Virtually none of these issues have received coverage outside the IT press, allowing the Government and agencies like ASIO and Attorney-General’s to get away with creeping, unjustified expansion of law enforcement and intelligence-gathering powers with the support of both major parties. This week will reveal whether Bilyk and Hawke continue that process or draw attention to the problems of this wide-ranging bill.