The case for data retention has been significantly undermined by the revelation that ASIO has barely used an existing power to order communications companies to preserve metadata.
For nearly two years, ASIO, the AFP and state police forces have had the power, under the Cybercrime Legislation Amendment Act 2012, to require communications companies to store information that may help in the investigation of a “serious contravention” — an offence punishable by three years or more in jail — for up to 90 days before getting a warrant to access the data. The only limitation on the requests apart from the seriousness of the offence is that it must be targeted at one person, but an agency can issue as many preservation notices as necessary. Data from the United Kingdom shows that nearly three-quarters of all data requests from law enforcement and intelligence agencies to communications companies involved data less than three months old, or just over 90 days.
According to the Inspector-General of Intelligence and Security, however, during 2013-14, “there was a very small number of such notices raised by ASIO.” The lack of usage, revealed in IGIS’s annual report, suggests there’s little evidence one of the key rationales put forward by agencies like ASIO for data retention, what’s known as “going dark”, is occurring for intelligence-gathering. “Going dark” is the US term for the technology-driven switch in communications company record-keeping that means information on customer usage isn’t kept longer than a billing cycle, thereby — theoretically — reducing the amount of information intelligence and law enforcement agencies can access for investigative purposes. The preservation notice system explicitly enables agencies to require communications companies to hang on to any historical data, and newly created data, for up to three months and then access the information with a warrant.
Prominent internet service provider iiNet has repeatedly argued that there has been no explanation from the government or agencies for why an additional data retention regime over and above the preservation notice regime is needed, or what flaws exist in the preservation notice system, which is barely two years old, that render it problematic for agencies.
There are possible alternative explanations for the dearth of ASIO preservation notices: one is that agencies are obtaining information, in effect, off the books via informal relationships with communications carriers, in which ASIO, the AFP and other agencies ask telcos and ISPs to preserve and provide data on a subscriber without a warrant or even the basic paperwork required by the preservation notice system. The other is that ASIO is not providing the information to IGIS. As Crikey reported on Monday, the annual report provides detail about an investigation into serious incidents involving firearms and alcohol consumption among Australian Secret Intelligence Services officers, in which “substantial discrepancies” were discovered in the information provided to IGIS by ASIS. Despite the claims of the IGIS herself, Dr Vivienne Thom, that anyone lying under oath to IGIS can be jailed, there are in fact no penalties for providing incorrect or incomplete information to an IGIS investigation if it’s not done under oath, and most of IGIS’s work is done via examination of agency records, not evidence under oath.
So, either one of the key justifications for data retention doesn’t stand up, or our intelligence and law enforcement agencies are obtaining data other than via the proper mechanism laid down in legislation, or they’re not telling IGIS the full story. Take your pick from which of those is most comforting as the government prepares to bring forward legislation enabling those agencies to engage in mass surveillance.