In a continuation of the Attorney-General’s Department long war on transparency, it seems the department is now threatening companies that reveal they’ve been granted an exemption from costly, intrusive data retention plans under the department’s implementation of the government’s data retention scheme.
The implementation has been marked by a series of bungles by the department. Just today, ISPs and other communications companies affected by the regime — to commence next month at a cost of hundreds of millions of dollars — complained they are in the dark about AGD plans for the $131 million allocated to help industry meet a small part of the costs. As Crikey reported recently, AGD is already siphoning off several million dollars for its own uses.
Frighteningly, in June, AGD had yet to finalise its dataset for what companies are supposed to retain — despite having been working on that exact issue since at least 2008. That’s left companies confused, despite the looming deadline for commencement.
As Josh Taylor reported for ZDNet last year, AGD wants to keep exemptions to data retention requirements secret in the hope that criminals (and perhaps people simply concerned about relentless surveillance) might use those services. That’s despite the fact that looking at the legislation, reading Senate committee hearing transcripts and media coverage will easily identify the types of services that will be exempt from the requirements — such as offshore email services.
Under the Telecommunications (Interception and Access) Amendment (Data Retention) Act, the AGD must keep applications — which are made to an AGD functionary labelled “the Communications Access Co-ordinator” — confidential, but no such requirements apply to applicants. According to the act, the “Communications Access Co-ordinator”, in making a decision on an exemption application, is required to take into account the interests of law enforcement and national security; the objects of the Telecommunications Act 1997 ; the service provider’s history of compliance with the data retention act; costs, and any other matters considered relevant.
However, it seems AGD is seeking to impose its own, extra-legal requirements. According to one post on the data retention discussion group board, AGD told an exemption applicant:
“we strongly recommend you keep all information relating to this decision confidential. Disclosure of any information relating to this application may change the Communications Access Co-ordinators decision.”
That is, despite having no legal basis for doing so, AGD is threatening to reverse exemption decisions if applicants misbehave by revealing an application, creating massive uncertainty for businesses that might have to undertake millions of dollars in additional investment to meet data retention requirements if a truculent co-ordinator arbitrarily strips them of their exemption.
The department did not respond to Crikey‘s efforts to confirm the exchange or establish the legal basis for the threat.
Meantime, the continuing fallout from the massive Office of Personnel Management hack in the United States illustrates the profound dangers of mass data retention. While American intelligence officials still aren’t clear on just how much data, relating to more than 21 million Americans, was taken by hackers, this week OPM admitted that 5.6 million fingerprint records had been stolen.
You can, of course, change your telephone number or your email address, or even your credit card, if their security is compromised. No such luck when it comes to fingerprints.
And if that sounds like a nebulous and implausible threat to Australians, recall that it was only the sharp eyes of Labor’s Anthony Byrne, the deputy chair of parliament’s Joint Committee on Intelligence and Security, that spotted an attempt by the then-Immigration Department to seize the power to require biometric data such as fingerprints and retina scans from everyone moving through an airport, leading to the committee removing the power from the foreign fighters bill last year. If this had gone through, the department that accidentally published the names and details of 10,000 asylum seekers, and the bungling buffoons of Australian Border Force would have been able to collect and store indefinitely biometric data, a treasure trove for hackers.