Data retention will hurt YOU, not criminals. Here's how
The government's data retention is far more likely to harm ordinary Australians than catch criminals or terrorists. Bernard Keane and senior IP and communications lawyer Leanne O'Donnell explain how.
Debate over a data retention scheme can seem abstruse, given the technical aspects of the debate and the complex legal and philosophical issues around freedom of speech, a free press and privacy.
The Prime Minister is demanding that a mandatory data retention scheme be rushed through Parliament with little debate and less information — there is no settled definition of what data is to be retained, and the telephone and ISP companies that will be forced to implement the scheme don’t know the costs they will face. Tony Abbott claims it is a national security priority, but in fact, there is nothing in the bill that will limit the use of data retention to terrorism or the most serious crimes. The Australian Federal Police have even said it will be used to investigate people who download movies.
But the scheme will have direct impacts on all Australians. It will increase the cost of internet access, as companies pass on the costs of the scheme, expected to be in the hundreds of millions of dollars — call it a “surveillance tax”, since you’ll be paying for your own government to collect data on you. Smaller ISPs will have to meet the costs of the scheme while competing against larger companies, likely reducing competition in that industry. It will also be a strong disincentive for companies to invest in communications infrastructure in Australia, placing our economy at a competitive disadvantage.
And potentially data retention will affect Australians in ways the government has preferred not to discuss. The following are a series of scenarios that could plausibly occur under an Australian data retention regime. Indeed, many of them are based on incidents that have occurred in other countries in recent years.
A Sydney grandmother receives a demand for $10,000 from an American “copyright troll” law firm, which threatens to sue her unless she pays. Using a preliminary discovery application directed to her Australian ISP, the firm obtained her contact details associated with the IP address detected as having downloaded a movie — which her visiting grandson obtained via a file sharing site.
A media company engaged in phone hacking and bribery of public officials hires a private detective to “compile a dossier” on the lawyer representing many of its victims. The detective bribes a police officer to secure the metadata of the lawyer, and a check of her phone calls records shows she has recently contacted an abortion clinic. The company is in a position to threaten to reveal the information unless she abandons litigation.
A wealthy US-based religious cult is accused of keeping its members in “virtual slavery” by an Australian politician. The cult sues the politician making these claims and uses the litigation to subpoena his telephone records, thereby identifying the cult members who have contacted him to provide him with information. They are ostracised, sued and harassed by the cult.
The estranged partner of a mother and children with an apprehended violence order against him initiates Family Court proceedings against his former wife alleging a breach of access orders and challenging custody arrangements. The proceedings allow him to subpoena the records her telephone company has retained on her, enabling him to identify that she is in a new relationship. He uses the data to track down her new partner and assault and threaten him.
An Australian communications company, faced with significant costs to implement the data retention scheme, chooses a cheap foreign-based cloud storage service to store its customers phone and internet records. The service is poorly secured, and hackers obtain customers’ personal information. As there is no mandatory data breach notification law in Australia, the company does not reveal the breach. The first its customers learn of the breach is when their personal details appear on the internet and the incident is reported in the press.
Chinese hackers target Australian communications companies in the search for information relating to Chinese dissidents living in Australia. Breaking into a phone company’s data retention records, they identify the phone records of their targets, including whom they have been calling in China. Their Chinese family members and friends are arrested and interrogated by Chinese authorities.
ASIO bungles a “special intelligence operation”, resulting in the death of an undercover officer. The Attorney-General, reluctant to be seen to be less than supportive of his intelligence agency, agrees to the Director-General’s request that the matter be kept quiet. An ASIO officer, outraged that those responsible for the death will not be held accountable, provides an internal report to a journalist. The AFP obtain both the telephone and email metadata records of the journalist and discover email contact between the private home account of a serving ASIO officer and the journalist. Both are charged and imprisoned, with the media unable to report the details of the case.
Against those scenarios, police forces claim that metadata is a vital tool in helping them investigate crime, that they are “going dark” as communications companies change their business practices. But that ignores the question of whether mandatory data retention is necessary, reasonable and proportionate. And there’s been no compelling evidence provided that the data currently able to be accessed by law enforcement agencies will be no longer available unless this scheme proceeds.
And no police force in any country where data retention exists has been able to produce hard evidence that getting access to more metadata has helped solve more crime. Nor have Australian police forces. In fact, recent incidents, such as the Paris massacres and the Sydney siege, were perpetrated by people already well known to security services, and data retention (which France already has) was irrelevant.
What you can be sure about is that if mandatory data retention is introduced in Australia, actual criminals won’t be the ones affected by it — it will be ordinary Australians and the people whose job it is to hold the powerful to account.