While most of the focus at last Friday’s Joint Committee on Intelligence and Security hearing with the Attorney-General’s Department focused on the definition of data retention and the extensive work that department had put into preparing data retention laws in secret, part of it revolved around an issue of longer-term and perhaps international significance: the quest to extend Australian attacks on privacy and anonymity offshore.
It dealt with three related issues, all raised by Andrew Wilkie’s rather Socratic question to AGD officials (a transcript has not yet been made available by Hansard) — whether the proposals under consideration would simply affect law-abiding citizens while the targets of these proposed significant extensions of state surveillance powers, the bad guys, would use encryption tools and offshore-based services to avoid detection.
The stakes here are broader than simply for the privacy of Australian citizens. Governments around the world, democratic or otherwise, want to rein in the internet, to “civilize it”: they see it as a wild west that needs the rule of law imposed on it. And one of their greatest frustrations is the difficulty of essentially national agencies in dealing with something that is innately global, meaning governments have to resort to complex, hard-to-negotiate international agreements to effectively impose control on it.
So far, that has proved difficult. For every European Cybercrime Convention, there are dozens of jurisdictional issues about the internet. English judges and lawyers rage futilely at the way social media defeats superinjunctions. US content companies demand ever more ridiculous laws to prevent filesharing. Irish newspaper sites carry prohibited details of Australian criminal cases. The Chinese dictatorship has to resort to hacking and social engineering to try to access dissidents’ offshore-based email accounts.
Get Crikey FREE to your inbox every weekday morning with the Crikey Worm.
It’s clear that anglophone governments, at least, are working to stop this. The three issues canvassed in the discussion that ensued from Wilkie’s question shed light on both what the Australian government has been doing, and the attitude of officials.
First, there’s government-to-government cooperation. AGD Secretary Roger Wilkins told the committee that his department was considering pursuing with the governments of the United States, the United Kingdom, Canada and New Zealand the possible harmonisation of data retention laws. Wilkins declined to talk further about such discussions, preferring to tell the committee at the in-camera hearing that followed.
However, the government has previously admitted it is in talks with other governments about imposing a common data retention regime. ZDNet reported last year on bilateral talks with the US about a shared data retention regime. The US is the key government for such discussions given the dominance of US-based social media, email and VOIP providers.
The US doesn’t have a data retention regime but it does have a data preservation regime, under which law enforcement and intelligence agencies can demand telcos and ISPs retain data of an identified user for up to 90 days while they obtain a subpoena to access it. Australia has a similar regime. Both countries are also parties to the European Cybercrime Convention, under which signatories are required to order the preservation of data at the request of another government. Australian laws were amended earlier this year to permit this.
Australia, of course, has long worked closely with anglophone countries on intelligence-sharing, right back to WW2 and its aftermath. We’re also participants in anglophone-dominated international online crime taskforces like the Virtual Global Taskforce (which targets child abuse) and the “quintet” of anglophone Attorneys-General. So the building blocks of an international data preservation scheme, the institutional framework, is already in place; these could be used for an international data retention scheme.
AGD officials also said they had held discussions with major offshore social media providers and had made some progress with them, although they seemed to suggest Facebook and Google had been their interlocutors; Twitter has been far more reluctant to comply with requests for user data even from the US government. AGD insists that if a service is provided to Australians then the service provider must comply with Australian laws.
But this is more obscure territory: any agreement by, just for example’s sake, Facebook and the Australian government to retain telecommunications data would be voluntary and would not abrogate Facebook’s obligations under US law. Moreover, exactly to what it would relate is the key issue: Facebook might be quite happy to agree to a data preservation regime but refuse to engage on a data retention regime; it might cooperate with one-off issues (say, a life-and-death or high-profile criminal case) without committing to a systemic policy. AGD officials were also unable to answer Wilkie’s question about what, in the context of social media, “telecommunications data” actually meant.
Despite these discussions, Wilkins agreed with Wilkie that offshore-based providers’ compliance with Australian law was “on a whim”, which is patently an undesirable situation: neither law enforcement agencies nor users thus have any certainty about the status of private data.
When Wilkie raised the issue of encryption, specifically referring to Tor, Wilkins’s response was more, well, direct. “We’ll demand the encryption keys,” he said. Wilkins may not have specifically had Tor in mind when he made such an open-ended statement, but I asked Jacob Appelbaum, security research and Tor developer for his views about Wilkins’s comments.
Appelbaum pointed out Tor doesn’t even use permanent encryption keys. “What keys? All *encryption* keys are temporary, only used during a given session — never written down, never known by admin. It is clear that people like Roger Wilkins do not even know what they’re talking about when they make such statements. Will Roger Wilkins demand that we change a secure architecture into an insecure one to suit the expansion of authoritarianism?”
In response to a question from Phillip Ruddock, Wilkins said AGD had also discussed forcing offshore-based encryption providers to disclose encryption keys with other governments. In the event governments are able to negotiate such “mutual assistance” agreements with each other, encryption using decentralised systems like Tor will be the only solution for anyone wishing to preserve basic privacy.
This bears watching. Governments do want to regulate the internet. And your privacy is the target.