Parliament’s joint committee on intelligence and security has failed to endorse a data retention regime as part of its response to a slate of proposed national security reforms, instead laying the groundwork for a limited scheme if a government should decide to implement one.
The committee — headed by Labor MP Anthony Byrne and including senior figures such as John Faulkner, George Brandis and Phillip Ruddock, as well as independent MP and former intelligence analyst Andrew Wilkie — was asked to consider 44 national security reforms by then-attorney-general Nicola Roxon in May last year, initially with a tight deadline that was later extended to the end of 2012 to reflect the extent and range of the proposals under consideration. After repeated criticisms of the Attorney-General’s Department about the lack of detail in the proposals, particularly around data retention, by committee members, the committee missed its end-of-year deadline as it grappled with a long list of complex technical, legal, national security and privacy issues.
Data retention occupied most of the committee’s time in its hearings, even though there were 43 other, often significant, proposals before it, such as giving intelligence and law enforcement agencies the power to wiretap social media, infect or alter information on people’s computers, or give intelligence officials immunity from all but the most serious crimes.
With revelations about the massive extent of US and UK internet and telephone surveillance from Edward Snowden, the committee’s view on expanding national security powers to address the challenges of online communication emerges at a critical time.
On data retention, the committee was unable to resolve internal disputes over whether a data retention regime was required. It concluded:
“There is a diversity of views within the Committee as to whether there should be a mandatory data retention regime. This is ultimately a decision for Government.”
The committee’s inability to resolve this highly controversial issue was exacerbated, it says, by the Attorney-General’s Department. In a remarkable statement for such a powerful committee, the report begins with direct criticism of A-GD, complaining that “one of the most controversial topics canvassed in the discussion paper — data retention — was only accorded just over two lines of text” by the department in its discussion paper, which was approved by Roxon:
“This lack of information from the Attorney-General and her Department had two major consequences. First, it meant that submitters to the Inquiry could not be sure as to what they were being asked to comment on. Second, as the Committee was not sure of the exact nature of what the Attorney-General and her Department was proposing it was seriously hampered in the conduct of the inquiry and the process of obtaining evidence from witnesses.
“Importantly the Committee was very disconcerted to find, once it commenced its Inquiry, that the Attorney-General’s Department (AGD) had much more detailed information on the topic of data retention. Departmental work, including discussions with stakeholders, had been undertaken previously. Details of this work had to be drawn from witnesses representing the AGD.
“In fact, it took until the 7th November 2012 for the Committee to be provided with a formal complete definition of which data was to be retained under the data retention regime proposed by the AGD.”
Unable to resolve its concerns about a data retention regime, the committee declined to recommend it. It accepted that data retention would be of “significant utility” to national security agencies. However:
“… a mandatory data retention regime raises fundamental privacy issues, and is arguably a significant extension of the power of the state over the citizen. No such regime should be enacted unless those privacy and civil liberties concerns are sufficiently addressed.”
Instead, the committee chose to lay out a possible limited scheme if a government decides to pursue one. The scheme would involve:
Telecommunications or meta-data data only (i.e. no content; where meta-data cannot be separated from content, it must be regarded as content and not retained)
No internet browsing data of any kind to be stored
All retained data to be encrypted
Data retained for a maximum of two years (no minimum was specified)
The (potentially significant) costs borne by government
Independent audits to check no content data is being stored
Agency access to be overseen by the Inspector-General of Intelligence and Security and ombudsmen
Any legislation establishing a scheme be the subject of public consultation and oversight by JCIS as well, with annual report and triennial review requirements.
Coupled with a review to curb the number of entities that have access to meta-data (including, currently, organisations like the RSPCA), the data retention scheme outlined by the committee — but not recommended — would be highly limited, particularly given the limitation on internet browsing data, assuming any bill survived the process of scrutiny to which it would be subject
Among the other recommendations by the committee in what is a long and detailed report, the committee rejected a proposal to allow ASIO officers to stop and search individuals as well as premises, recommended the number of agencies with access to telecommunication data be reviewed with the aim of reducing them; a comprehensive public process of revision of the Telecommunications (Interception and Access) Act to address privacy, technology and industry concerns; the committee did not endorse a proposal to allowed ASIO to “disrupt” computers but merely recommended further consideration to it, but did recommend ASIO be permitted to access target computers via third-party computers; that proposals to protect ASIO officers from criminal liability match the current scheme applying to the Australian Federal Police.
Attorney-General Mark Dreyfus said in a media release that data retention was off the agenda for the moment. “The Committee did not make a recommendation in relation to whether Australia should pursue a data retention regime, but the Committee did make a number of recommendations in relation to the details of a potential data retention regime. Accordingly, the Government will not pursue a mandatory data retention regime at this time and will await further advice from the departments and relevant agencies and comprehensive consultation.”