When (not if) your personal data is taken from a service provider compelled by the Labor-Liberal data retention scheme to store it, the provider is under no obligation to tell you.
And despite the government’s promises, they won’t be under any such obligation any time soon.
A key omission from the data retention scheme established earlier this year by the Abbott government, with the support of the Labor Party, relates to the security of the personal data of millions of Australians that will be forcibly collected by phone companies, ISPs and other communications companies. While the legislation, as amended, requires that the data be retained in an encrypted form, there is no requirement for how it should be encrypted or where it should be stored (in fact the Attorney-General’s Department told the Joint Committee on Intelligence and Security that it was unwilling to require encryption or mandate what kind of encryption).
Get Crikey FREE to your inbox every weekday morning with the Crikey Worm.
And given the government is funding just a fraction of the cost of the scheme, likely to run into several hundred million dollars, many of the several hundred companies that are caught by the scheme are likely to store the data as cheaply as they can, preferably in less expensive offshore locations.
Australian communications companies already have a solid history of losing data: in 2012, to demonstrate how straightforward stealing personal data was, Anonymous-linked hackers broke into AAPT and took customer data, which was later published online. But major telcos don’t need hackers to steal their data — they often release it themselves through their own security errors, as Optus admitted earlier this year, Telstra did in 2012 and Vodafone did in 2011.
Recognising the rising problem of both poor customer data security and hacking of personal information from major service providers, Labor introduced legislation establishing a mandatory data breach notification scheme in May 2013 (the Australian Information Commissioner has guidelines for reporting breaches, but they aren’t compulsory). The bill got through the House of Representatives but was killed by the 2013 election. Earlier this year, the Joint Committee on Intelligence and Security, while considering the Abbott government’s data retention bill, recommended a mandatory data breach notification law by the end of the year.
But so far, nothing. Given that AGD told the committee it preferred “to implement a holistic security framework for the telecommunications sector, rather than imposing specific, standalone and potentially duplicative security obligations that apply only to a relatively narrow subsection of the information held by industry”, i.e. it would prefer to handle such matters at its own pace and in its own way, thanks very much, the lack of any mandatory data breach notification bill before Parliament — despite one having been drafted and introduced just two years ago — is unsurprising. Even if introduced now, such a bill wouldn’t pass Parliament until next year, meaning companies are under no obligation to inform you if your data is lost, either stolen by hackers or simply made available through basic security errors by the company.
An abiding theme of mass surveillance is that it makes us less safe, not safer: security agency staff abuse their power and misuse information, internet security standards are undermined and commonly used products backdoored to suit the agendas of agencies, making life easier for malicious actors, agencies struggle to make sense of the vast amount of data they have and the number of false positives it generates. That theme is on display in the data retention scheme: the personal data of Australians stored under that scheme will be taken at some point, given third parties access to a vast trove of personal information about us. And no one is under any requirement to tell us.