Thank you for the invitation to be here and the honour of addressing a plenary session of such an important conference.
It’s rather disarming to be a generalist in a roomful of experts; the sole expertise I bring, to the extent that I bring any, is that I’ve been watching the rise of mass surveillance in Australia and elsewhere for the last several years.
Some years ago I wrote on ebook called “War On The Internet” and in retrospect it was a work of extraordinary optimism, because it suggested that history told us that eventually the corporate and government elites who felt so threatened by the internet and the possibilities for connectedness that it offered citizens would eventually accept that their capacity to control it was limited.
There’s a certain quaint naivety to that view that’s almost charming, in retrospect.
Get Crikey FREE to your inbox every weekday morning with the Crikey Worm.
What’s happened in the last 3 years? Chelsea Manning, John Kiriakou and other whistleblowers have been convicted and jailed for revealing US war crimes and CIA torture.
We’ve learnt from Edward Snowden, whose first revelations emerged two years ago tomorrow, of global-scale internet and phone surveillance, undermining of internet security and suborning of the world’s largest IT companies by the NSA and Five Eyes intelligence agencies.
We’ve learnt not merely that the Australian Signals Directorate spied on the Indonesian president but on Indonesian trade negotiators engaged in a trade dispute with the US, with the information handed over to US authorities to be used by industry. Although, according to the Prime Minister, Australia doesn’t engage in commercial espionage.
We’ve seen what happens when a whistleblower in Australia reveals that Australia’s foreign intelligence service spied on the East Timorese cabinet: the whistleblower is raided by ASIO, he and his lawyer are threatened with prosecution and he is prevented from leaving the country.
We’ve seen a continuing expansion of the already massive level of unwarranted accessing of communications data by police forces, regulators, bureucracies, local councils, the RSPCA etc.
We’ve seen a regime for compulsory data retention established in Australia.
We’ve seen the Trans-Pacific Partnership, which will extend the power of the US-based copyright industry, negotiated in secret – secret, mostly, to ordinary citizens, but not secret to large corporations and peak industry lobby groups, who get an opportunity to shape the document.
We’ve seen a concerted effort by the government to implement the agenda of the copyright industry, including a bill to enable an extension of Australia’s current internet censorship framework to include sites deemed dangerous by the copyright industry. This potentially includes encryption and VPN sites.
In Australia, this agenda has been pursued by the Attorney-General’s portfolio and two key agencies within that portfolio, ASIO and the AFP. The heads of these three agencies are the most powerful and unaccountable bureaucrats in Australia. That portfolio has been given over a billion dollars in additional funding in the last twelve months, in additional to the annual approximately $1.6 billion the AFP and ASIO receive in funding. Their powers have been significantly extended beyond the already draconian War on Terror powers they possess. Yet they face virtually no public or parliamentary accountability because of their capacity to hide behind the cloak of operational matters and national security.
These agencies are also noteworthy because they are seemingly impervious to logic and evidence or the application of these in policymaking and implementation. AGD has been working since at least 2008 on a data retention scheme and yet we didn’t get a definition of the data to be retained under the scheme until several months into 2015, and even now, as I’m sure most of you know, it’s still vague despite AGD recently issuing alleged “explanatory guidelines”. We still don’t know the costs of the scheme even now, even after money has been allocated for it.
There is no evidence from anywhere in the world that data retention of the kind put in place in Australia, or more extensive mass surveillance schemes that vacuum up data more comprehensively, contribute to the prevention of, or detection and investigation of, crime or terrorism. When pressed on this point, officials of the Attorney-General’s Department accept that there is no hard data from any jurisdiction that has used mass surveillance to show that it assists in the prosecution of crimes. Their fallback argument is that metrics such as crime clearance rates are not likely to reflect the benefits to security forces of surveillance mechanisms like data retention.
That is, the effectiveness of a measure that is justified by the benefits it will bring to the investigation of crime can’t be assessed by what benefits it will bring to the investigation of crime.
In fact, as the data retention bill was being considered by a parliamentary committee, we were seeing in vivid and horrific detail how useless it could actually be, with the Sydney siege and then the Charlie Hebdo and associated murders perpetrated by people who were well known to security agencies in their respective countries but who were not under direct surveillance. In the Australian case, it appears that even committing sexual assault and being involved in the murder of your former partner isn’t enough to get you on an intelligence or law enforcement watchlist.
Indeed Man Haron Monis, a convicted extremist just weeks from perpetrating the Sydney siege, wrote to the Attorney-General to ask if it was all right if he contacted Islamic State – surely something that should have raised multiple red flags. And the area of AGD that has for so many years been pushing for more and more powers to collect our information so that they could spot terrorists simply sent back to Monis a form letter and didn’t bother telling anyone about what he’d written.
A similar process of illogic is underway in relation to what is called the “site-blocking bill” but which is more accurately described as the internet censorship bill. The evidence from overseas is that forcing ISPs to censor piracy sites simply doesn’t work in reducing traffic to and from such sites.
If measures like data retention and internet censorship don’t work, why does AGD and its agencies want them? They’re intelligent people, after all, and they can read the data from overseas like the rest of us.
Well, mass surveillance tools deployed against foreign countries are of course about commercial espionage. That’s why we know the brazilian company Petrobras, and Siemens of Germany, were subjected to NSA surveillance. But what about domestically? Why do agencies want such powers domestically?
They want them because they extend their power over the internet. AGD and the intelligence community bring a 20th century, analog mindset to the internet. Institutionally and oftentimes individually, they grew up with the idea that governments controlled communications. Governments allocated spectrum for radio and television, as well as for other radcomms use. It didn’t licence newspapers but newspapers tended to be owned by a small number of companies controlled by people well known to the government. Governments owned postal and telecommunications networks or, if it privatised them, they tended to be owned by a powerful, tightly-regulated private incumbents or oligopolies. Governments in effect controlled, or could control if they needed to, all the principle means of delivering information.
The internet has disrupted that, in ways too many to enumerate here, but the unregulated nature of the internet has long alarmed governments. It’s a common metaphor – used by both Nicolas Sarkozy and Barack Obama, to portray the internet as a kind of Wild West, a frontier that needs to be civilized. When security agencies look at the internet, they see chaos and danger, a landscape in which unfettered ideas roam free and could radicalise people sitting in their lounge rooms, so very different to the nice pre-internet media environment where the most radical thing you were likely to see was an r-rated movie on SBS.
And this is the origin of the “collect it all” mentality – it’s an intellectual habit developed in the days when governments could easily control what you saw, read and heard, and who you saw, wrote to and spoke to.
This is one of the reasons why the rise of mass surveillance in Australia won’t stop with data retention and internet censorship. It is no accident that the internet censorship bill would enable the targeting of VPN sites. AGD and its co-conspirators are aware that Australians are moving to protect themselves from surveillance by using encryption and anonymisation tools. Both AGD and one of the police agencies addressing the joint parliamentary committee on intelligence and security explicitly said that data retention was necessary because Australians had begun using encryption a lot more since the Snowden revelations. This will justify further demands for powers, because in response to the imposition of data retention, over the last year Australian usage of VPNs has surged.
This is all rather appropriate, because it perfectly parallels the War on Terror that is used as a rationale for endless extensions of counter-terrorism powers. The War on Terror endlessly creates more terrorists and radicalises more extremists, ensuring that the war will never be over, and thereby providing a rationale for endless extensions of counter-terrorism powers. That’s why there has never been a reduction in counter-terrorism powers since 9/11. That’s why, despite the incessant talk of “getting the balance right” between freedom and security, the balance only ever shifts against freedom.
That’s why there will be more bills extending surveillance powers in the future, all justified as necessary to stop terrorism, or child pornography, or organised crime or drugs or *insert reason here*.
AGD isn’t responsible for all of this – for example, it’s the Department of Foreign Affairs and Trade that is negotiating the TPP, and doing so despite the Productivity Commission having found that intellectual property protections in so-called free trade treaties are damaging to Australia’s national interest – but it is responsible for most of it. AGD is the reason that the greatest threat to us online isn’t hackers, or Chinese spies, or Russian organised crime, it’s our own government. Hackers and malicious online actors are an opportunistic threat to my data. But my government wants it all the time, 24/7, and it has the best set of tools you can get, legislation and courts and spies and police to enforce it.
That our own government is the greatest threat to us is true not merely in a nebulous sense that our online freedoms are under attack, but in specific ways. It is because of Attorney-General’s Department that our data will be stored by telecommunications companies, internet service providers and anyone else who can be dragooned into the data retention scheme, in underfunded and possibly unsecure facilities offshore; by the government’s own figures, it has funded less than one-third of the cost of its data retention scheme, leaving communications companies to foot the rest of the bill.
It is because of the Attorney-General’s Department that warrantless accesses to our information have surged over 300,000 a year, with the Australian Federal Police among the fastest growing users of warrantless collection of data. It is also because of AGD that 2012-13 is the most recent report we have on mass warrantless interception of data, because the department has refused to release a report for 2013-14 despite a legal requirement that it be prepared as soon as practicable after 30 June.
It is because of AGD that we will have a chilling effect on journalism as whistleblowers realise it is very difficult to contact journalists or activists or even politicians without leaving an electronic record that police can trace.
It is because of AGD that we prosecute Australians who discuss euthanasia online, despite over 70% of Australians supporting it. It is because of AGD that if you want to gamble online, you do so with an overseas company, not an Aussie-regulated company.
And in case you think, well, AGD are just doing what their political masters tell them to do, it’s because of AGD that we don’t have a statutory right to privacy, which the previous government wanted to introduce but which AGD, which opposes a right to privacy, simply refused to cooperate in drafting. And a right to privacy would have been a useful tool to have in the fight against data retention.
It is because of AGD that our security agencies literally have more power than they know what to do with. In 2011, Attorney-General’s officials convinced the then-government to establish a data preservation scheme so that telecommunications data that might be destroyed by companies could be preserved if security agencies believed they needed it. It was important, AGD officials said at the time, that such a regime be established. “We have been advised by both industry and agencies alike that that data is vulnerable because it is destroyed for their own business purposes, which they have documented to us. We need to ensure — not go on a cooperative basis, but actually have the legislation in place.”
But according to the Inspector-General of Intelligence and Security, ASIO has barely even used the scheme. Its last annual report said about the data preservation scheme “there was a very small number of such notices”.
And in case you’re wondering why, if we already had a data preservation scheme to deal with companies destroying data, we needed a data retention scheme to deal with companies destroying data, well let’s ask AGD. They said early this year “preservation notices will not address the fact that service providers are not retaining critical types of telecommunications data.”
Of course, it wouldn’t have anything to do with the fact that the data preservation scheme requires security agencies to get a warrant, albeit not immediately, merely at some point within 3 months.
And we know this is not going to end. I’m told by a senior intelligence community figure that AGD has been advising major companies such as Facebook that it plans to attempt to bring them under Australian surveillance laws. AGD sees data retention as just the start of a wider surveillance scheme.
So where are the various sub-sectors of the IT industry in this war on the internet, and particularly the cybersecurity industry? Well, we know that some companies are very happy to cooperate with governments in enabling mass surveillance. You’d all be aware of the many IT companies around the world – some of them well-established in the Australian cybersecurity market – who developed mass surveillance tools for repressive regimes, especially in the Middle East. At the other end of the spectrum, some of our best advocates against mass surveillance come from the cybersecurity industry.
But it seem most – and I speak from an outsiders perspective — are betwixt and between. And in this war on the internet, I want to urge industry to side more openly with citizens against government mass surveillance.
Well in the first place, because I want to appeal to you as good citizens of the internet, as people who understand what the stakes are, as people who know that the internet provides an immeasurable civic value to us, a value that is directly threatened by government surveillance. I think after the Arab Spring, a lot of us went through a period of idealising the internet and its civic potentialities, even if there were far fewer cyber-utopians than the cynics liked to claim. And it is easy to be cynical and see the internet as the enabler for the worst of humanity, to see nothing but the porn and the greed and the shameless hucksterism and the Kony video and dumb memes and Mamamia, but it’s also an enabler for the best, and it’s an enabler for the vulnerable, the under-resourced, the dissenters, for those who in an analog world would have been silent and alone.
For such people, as for all of us privacy and anonymity are vital, even if they are abused by the worst of humanity. As one US figure said in support of giving people tools so they could enjoy what she called the “the freedom to connect” without government surveillance:
“On the one hand, anonymity protects the exploitation of children. And on the other hand, anonymity protects the free expression of opposition to repressive governments. Anonymity allows the theft of intellectual property, but anonymity also permits people to come together in settings that gives them some basis for free expression without identifying themselves. None of this will be easy … We should err on the side of openness and do everything possible to create that.”
But I more want to appeal to you as capitalists. The Snowden revelations inflicted a massive trust shock on the US-based IT giants, as we all realised that they had been compelled, happily or not, in secret, to give our governments access to whatever information they could provide. Apple, Google, Facebook and Microsoft very quickly realised that this had enormous potential to damage their business models. If people don’t trust you, they’re going to use your products less.
That’s why those companies are now rushing to shore up their trust stocks with consumers, offering encryption by default, insisting to the fury of law enforcement agencies that only users themselves will hold the keys so they’ll have nothing to hand over when the NSA comes knocking. They understand that if they don’t, then small companies will come over the top and provide the trust instead – or at least claim to, via encrypted and ephemeral communication apps.
So the question for the Australian IT industry and especially the cybersecurity industry is, how much can we trust you? Yes, we know the legal requirements you are placed under, but how much can we trust you to protect us? Because if we can’t, we’ll go elsewhere, like is happening now as Australians shift in large numbers onto VPNs.
How should industry side with citizens? Two ways. One, advocacy. Let’s look back on the data retention debate earlier this year.
I don’t just say that as a strident opponent of data retention, but as someone who likes to see intelligent, evidence-based policy win. Those of us in the No camp failed. And one of the reasons that we failed is that we simply don’t have the kind of strong civil society organisations that the US has, like the EFF or the ACLU. Yes, we have bodies like the EFA and other initiatives, but we’re simply too small to sustain the kind of well-resourced civil society institutions that can launch legal cases and be a constant presence in public debate.
Nor do we have a media capable of or, often, interested in, independent journalism and advocacy. We have enough problems with a media that won’t cover politics properly, let alone an arguably more niche area like our online rights, where you’re more likely to draw blank stares from journalists than Woodward & Bernstein-like efforts.
Not enough of us spoke out, and not enough of us spoke loudly enough and often enough. And where was the IT industry?
Well, we had iiNet, although they went silent after Steve Dalby and Leanne O’Donnell left. Lots of individuals in the industry spoke up and made submissions. One or two companies. But like the rest of us, the IT industry, a vitally important sector of the Australian economy, failed. Our IT industry, including the cybersecurity sub-sector, needs to find a stronger voice in this area, otherwise, the AGD voyeurs, and the coppers and spooks, will drown out dissent.
The other area is in providing ordinary internet users with more easy-to-use, reliable encryption and anonymisation tools and explaining why they’re important. I know this is a priority – indeed, core business – for many of you. But as someone who is comfortable doing the basics of good IT hygiene but who once spent a whole day trying to get PGP working, I can attest to the need to get more plug-and-play, user-friendly encryption and anonymisation tools out there.
Part of this of course is helping people understand that protecting yourself online is an ongoing process, not a one-off solution, and that it can never be about eliminating risk, merely reducing it and managing it, and that the more we use encryption and anonymisation as default, the more expensive it gets for ASIO and the AFP and every other outfit that wants our data to collect it. And the more they have to come back to politicians and say “give us more power and money.”
This, it seems to me, is the best way to get people interested in protecting their online rights, to move the issue from nebulous discussions about free speech and privacy to the very pointed one of how individual users need to protect themselves, to understand cybersecurity as not just about protecting yourself from hackers but protecting yourself from your own government and the industries that influence it.
And yes, I understand the frustration of many people in this industry about the poor level of IT comprehension of most of us. I find that frustrating as well, and I find it particularly frustrating that so many of my colleagues in the media share that ignorance. Equally, I find the lack of interest of a lot of Australians in mass surveillance immensely frustrating. If I never write another article about why data retention is a dumb idea again, it’ll be too soon.
But that’s no excuse not to do it, however frustrated we might get, because that’s how they win. AGD continually pushed data retention from 2008, constantly and secretly, first not being able to convince the then-government, then getting an Attorney-General in Nicola Roxon who wanted to back it, but we fought back and defeated that push in 2013. But they didn’t stop. They came back again last year and finally they won.
That’s what they’ll do – they’ll just keep coming at our rights online, like a battering ram, they’ll never stop. And that’s why we can’t get frustrated or worn down. Every time we lose, we have to dust ourselves off and get ready for another battle. And every time we win, we just have to redouble our efforts for the next round.
That way, we might not win the war on the internet, but we’ll have given it our best effort.