The Attorney-General’s Department has relaunched its campaign for a mandatory data retention regime but has flagged it wants to avoid the mistakes of the Rudd and Gillard era by consulting with both industry and privacy advocates before proceeding. However, it has also flagged expanding telecommunications interception powers to social media companies such as Twitter and Facebook and renewed its push to create a criminal offence for refusing to decrypt information seized by police.

In a letter to the Senate Committee on Legal and Constitutional Affairs, AGD secretary Roger Wilkins has confirmed his department has undertaken a variety of work on data retention since the election, after Wilkins told Greens Senator Scott Ludlam at Senate estimates in February he didn’t know if any work had been done. The work includes briefings for Attorney-General George Brandis (including question time briefs) and follow-up work, including work with state and territory agencies, on last year’s report by the Joint Committee on Intelligence and Security. The JCIS report considered a range of reforms to law enforcement and intelligence-gathering powers, including in telecommunications, and refused to endorse a mandatory data retention regime.

The department has also provided an extensive submission covering similar ground to the Legal and Constitutional Affairs References Committee’s inquiry into the Telecommunications (Interception and Access) Act, initiated by Ludlam in December. On mandatory data retention, the department told the committee:

“… further exploration of options is necessary and that detailed consultation needs to occur with key stakeholders, including the  telecommunications industry and privacy advocates before providing detailed advice to Government to support any decision on this topic.”

AGD’s previous attempt to establish a scheme under Kevin Rudd involved secret consultation with industry and an attempt to rush a scheme through cabinet before the 2010 election. Under Julia Gillard, the department suggested the process be recommenced with public consultation, but was rebuffed by the government until then-attorney-general Nicola Roxon included data retention in the reforms referred to JCIS in 2012. This time, it appears, AGD at least wants to bring non-industry stakeholders into a consultation process, although it has not flagged public consultation.

The department also tells the committee it supports reducing the number of agencies with the power to obtain telecommunications data from service providers — that list currently includes local government, regulatory agencies and even NGOs like the RSPCA — as an alternative to requiring a warrant to obtain data from service providers. It also proposes that in some cases agencies be prevented from accessing not only “content data” as opposed to telecommunications data (a distinction AGD has previously argued for), but “traffic data” that provides information about location and duration of communications. “Account-holder data” may be all that is needed in some cases, AGD says — seemingly an effort to address concerns that telecommunications data, or metadata, in fact can provide far richer information about someone than the content of a single phone call.

“The proposal creates the bizarre prospect of AGD attempting to regulate Twitter, Facebook and other social media …”

To be fair to AGD, the submission is superior to the discussion paper it presented to JCIS, which was savaged by committee members like John Faulkner and which Wilkins admitted wasn’t up to scratch. That paper didn’t even mention data retention in any detail, nor did it offer a definition of what data should be retained, an error that Roxon was left to clean up later. That’s not to say the submission is perfect — there’s the slightly unpleasant use of the murder of Jill Meagher and the arrest and conviction of her killer without mentioning their names as justification for the importance of telecommunications data. And the statement “[t]errorists in Australia use the internet to plan attacks and receive training from international terrorist groups” is evidenced by a reference to the Howard government’s hysterical 2004 terrorism white paper, a document so bad even the Lowy Institute criticised it.

However, as with data retention, the submission goes into more detail about proposals that were at best elliptical, or more accurately entirely nebulous, in the JCIS paper. Chief among these is a proposal to bring “ancillary service providers” like Twitter and Facebook into both the Australian telecommunications privacy protection framework and the “industry assistance framework” that provides for telecommunications interception. AGD says:

“The Department’s preliminary assessment is that the comprehensive revision of the TIA Act may provide a range of opportunities to modernise the industry assistance framework, including ensuring that the scope of the framework is fit-for-purpose and appropriate for the modern telecommunications environment — in particular, by ensuring that the framework applies to ancillary service providers … exploring models for interception capability obligations that reduce the existing regulatory burden on carriers and carriage service providers, and mitigate the regulatory burden for newly-regulated ancillary service providers.”

The proposal creates the bizarre prospect of AGD attempting to regulate Twitter, Facebook and other social media both to protect Australians’ privacy and to establish the mechanism for agencies to breach it, while law enforcement and intelligence agencies in the AG’s and other portfolios participate in the “Five Eyes” mass surveillance programs revealed by Edward Snowden that systematically target such companies, often without their knowledge or co-operation.

The department is also clearer that it wants to be able to force companies, including ancillary services providers, to decrypt information obtained by agencies that is encrypted — although it wouldn’t be a criminal offence not to co-operate — and to make it a criminal offence for individuals to refuse to co-operate in decryption, a proposal that was vaguely described in the JCIS paper and then narrowly construed by Roxon in another of her efforts at damage control. However, the proposal raises the prospect of AGD attempting to force Tor administrators or foreign virtual private network providers to decrypt information — a problematic prospect without intergovernmental co-operation and useless in any event for encryption that uses temporary keys unknown to administrators.

And for social media companies, already facing a government effort to force them into an internet censorship scheme on the pretext of “cyberbullying”, all of this represents a new front on gathering efforts to strengthen surveillance.

Peter Fray

Fetch your first 12 weeks for $12

Here at Crikey, we saw a mighty surge in subscribers throughout 2020. Your support has been nothing short of amazing — we couldn’t have got through this year like no other without you, our readers.

If you haven’t joined us yet, fetch your first 12 weeks for $12 and start 2021 with the journalism you need to navigate whatever lies ahead.

Peter Fray
Editor-in-chief of Crikey