So after many years of working on data retention, after being scolded by the Joint Committee on Intelligence and Security for its laxness, having been questioned and criticised in December at committee hearings for its failure to do so, has the Attorney-General’s Department resolved the details of the mass surveillance scheme it wants to impose on Australians?
Hardly. AGD’s submission to the inquiry into data retention maintains the department’s long history of refusing to offer a definition of what data it wants to force communications companies to keep. As for the cost of the scheme — which you will pay for either as a taxpayer through a government contribution to the cost of the scheme, or as an ISP customer via a surveillance tax that ISPs will need to pass on to ensure they’re not out of pocket — forget about that, too. Indeed, the AGD submission barely even mentions the issue of cost.
AGD has been behind a push within the federal government for mass surveillance since at least 2008. The only AG to push back against the department was Mark Dreyfus, who during his short stint at the end of the Rudd-Gillard-Rudd years, ruled out data retention in the shadows of the 2013 election. But as Crikey has previously reported, the department’s own incompetence tripped it up as it sought to convince successive attorneys-general to bring such a scheme forward in secret.
The failure of AGD — which is said to be riven by factions and ideological splits — to produce a final definition of the data it wants to force communications companies to keep, and to identify the cost of this scheme, even several months after the bill establishing the scheme has been introduced, is thus unsurprising. That many members of the Joint Committee on Intelligence and Security appear relaxed about being treated with such open contempt by AGD is more surprising, and augurs poorly for the expanded oversight role the committee has recently sought. Chair Dan Tehan, in particular, has been too indulgent of AGD, demonstrating that a backbencher with hopes for promotion may not be the best fit for a committee that should be as independent as possible.
On a major issue, however, AGD has failed to do its homework. As Crikey has reported, and others like Chris Berg (in a superb submission on behalf of the IPA) have also detailed, there is a data retention scheme in existence right now — the data preservation scheme established in 2012 when Australia “acceded” to the European cybercrime convention. This enables law enforcement and intelligence agencies to require communications companies to preserve data for an individual for up to 90 days before having to get a warrant to see it. However, ASIO has virtually ignored data preservation notices despite regularly complaining about not being able to access information. Plainly grumpy about this contradiction, AGD argues in its submission:
“The purpose of preservation notices is to ‘quick freeze’ volatile or perishable electronic evidence that a provider possesses for a short period of time, to allow agencies time to apply for and obtain a warrant to access that information … Preservation notices will not, therefore, address the fact that service providers are not retaining critical types of telecommunications data, or are retaining that data for shorter periods of time.”
Unfortunately, whoever wrote the AGD submission didn’t check the department’s previous talking points. AGD officials gave evidence to a parliamentary committee hearing in 2011 on the data preservation scheme, along other aspects of the cybercrime convention bill. Catherine Smith, the mid-level AGD bureaucrat who until last year had overseen the push for mass surveillance, told MPs in August, 2011:
“… the reason we have a preservation regime is that we have been advised by both industry and agencies alike that that data is vulnerable because it is destroyed for their own business purposes, which they have documented to us. That is why we need to ensure — not go on a cooperative basis, but actually have the legislation in place.”
Smith has since moved on to greener pastures within AGD, and evidently didn’t leave a handover note telling her successor to ensure that the department is at least vaguely consistent in its explanations.
There’s another contradiction that’s not on the public record, but which potentially has major implications. AGD insists in its submission that it has no plans to impose data retention on overseas-based social media companies:
“The Department acknowledges that there are a number of service providers that have a significant presence in the Australian telecommunications market that do not own or operate such infrastructure in Australia, and that therefore will not be covered by data retention obligations, including the major social media providers … attempting to impose extraterritorial data retention obligations would give rise to significant jurisdictional and conflict-of-laws issues.”
However, a senior intelligence community figure has told Crikey that AGD — apparently without government authorisation — has been advising major companies such as Facebook that it plans to attempt to bring them under Australian surveillance laws. “This is a rogue agency,” the figure told Crikey, “engaged in thugging social media companies.” AGD sees this data-retention bill as just the start of a wider surveillance scheme.
And while, as Crikey noted yesterday, AGD’s attempt to claim that data retention will have no implications for journalists and whistleblowers in fact demonstrates exactly what a threat to journalists and whistleblowers it will be, there is a certain honesty in AGD’s explanation for why data retention is required. The submission says “[t]elecommunications data is becoming increasingly important to Australia’s law enforcement and national security agencies as they lose reliable access to the content of communications. This threat has increased significantly since the Snowden disclosures.” AGD doesn’t go into any further detail but we explained why in November: the Snowden revelations have prompted the world’s biggest IT companies, and consumers, to start encrypting their communications, generating the very “going dark” problem that data retention is supposed to fix.
This is the ultimate, self-reinforcing logic of the surveillance state: governments have been illegally spying on their own citizens, citizens have learnt about this and reacted by moving to protect themselves, and that, in turn, becomes the justification used by security bureaucrats for still more surveillance.
What AGD forgets, or ignores, is that the self-reinforcement also works the other way. If it is successful in imposing mass surveillance on Australians, that will simply prompt a new wave of encryption and anonymisation to hide from the prying eyes of Canberra’s authorised voyeurs.
Bernard Keane has made a submission to the JCIS inquiry in a private capacity; Private Media, which owns Crikey, has also made a submission.