Ensuring both people’s privacy and their protection from terrorism is not a zero-sum balancing act, according to the United Nation’s special rapporteur for privacy Professor Joe Cannataci. As he tells Crikey, we should be able to have both.
Shortly before calling the election, Prime Minister Malcolm Turnbull appointed hard-right Tasmanian Liberal MP Andrew Nikolic to chair the powerful Joint Parliamentary Intelligence and Security Committee. As with many who advocate for giving law enforcement all the invasive powers they want, Nikolic has invoked the false balance between privacy and security, and has said in the past civil liberties are a luxury in a time of heightened threat. But Cannataci takes a different view.
“I make it quite clear that I don’t believe in balance. There shouldn’t be a balance. It’s a horse trade. I want to have both privacy and security. I don’t see why I can’t have both,” he said.
“When people advance arguments like ‘oh with encryption you’re going to prevent people from having security’, that’s not right. With encryption, you’re actually going to enable people to have more security, and especially if you look at areas like IT theft, you’re actually enhancing security by granting them encryption.”
Get Crikey FREE to your inbox every weekday morning with the Crikey Worm.
Maltese-born Cannataci was appointed the UN’s first special rapporteur for privacy last year after three decades in the field of privacy. He is in Australia this week for Privacy Awareness Week, organised by the recently re-invigorated Office of the Australian Information Commissioner.
Encryption is increasingly being raised as an issue by law enforcement agencies seeking to investigate and thwart terrorist attacks. In the United States, Apple has stood up to challenges from law enforcement attempting to force the tech giant to build a backdoor to its phones, allowing them to bypass the encryption and access data. Turnbull has indicated it is an issue — despite himself using encrypted communications applications — but has not announced any plans to crack down on encryption.
Cannataci has congratulated countries like the Netherlands — it’s taken a stance against backdoors to give law enforcement a bypass to encryption — and believes backdoors are a bad idea. On the other hand, he questioned why the Abbott-Turnbull government had embarked — with the support of Labor — on a two-year mandatory data retention scheme shortly after the European Court of Justice declared the European Union’s data retention directive invalid.
“That, I suspect, is a legitimate question,” he said. “Here we are seeing, in one area of the world, data retention being struck down, and yet Australia, on the other hand, introducing it.”
The million-dollar question about Australia’s data retention regime: what value do we get from it? And, asks Cannataci, at what cost?
“If you look at the European Commission’s reports trying to see what value came out of seven years of data retention laws, they found less than 100 cases where information from data retention actually led to some form of conviction. It’s going to be very interesting to see after the passage of five or seven years what has actually been the cost of this to the Australian taxpayer directly or indirectly, and also what the benefits are,” he told Crikey.
Attorney-General George Brandis has described metadata as “the basic building block in nearly every counter-terrorism, counter-espionage and organised and major crime investigation”. But very little data has been released showing how effective the legislation is in preventing attacks. Cannataci says data retention is largely used for investigating crimes that have already occurred.
The government has set aside $130 million to help internet service providers build systems to retain the data — but ISPs have estimated their costs to be much higher. The Attorney-General’s Department has not responded to multiple requests on how much the scheme will cost based on the implementation plans ISPs provided to the government last year.
Despite this, Cannatuci says Australia’s privacy laws are good, but could be improved by incorporating recommendations from the Australian Law Reform Commission’s review of privacy law in 2014. He did not have a view on whether the changes should be made as a tort of privacy or a bill of rights in Australia.
Shortly before the election, the government finally introduced mandatory data breach notification legislation that would require companies to disclose breaches where private data is compromised. It failed to pass before the election was called and will need to be re-introduced after the election. Cannataci says mandatory data breach notifications should be the norm — but there should be sensible controls around when the disclosure is made to avoid “some kind of general panic in the population”.
Although he himself shuns Facebook and Twitter, Cannataci believes tech companies are generally getting better with privacy for users. In the past, where companies like Apple have been criticised for harvesting the data of its customers, now they seek to be the champions of privacy.
“I’m not being cynical, I actually think it is a good thing,” he said. “I think companies are realising that privacy can give them a competitive edge. Keep up the work guys! Why are [tech companies] increasing encryption? In order to continue to gain trust from their clients. In gaining trust, they’re gaining or consolidating their business. No trust? No business.”
There has never been a more exciting time to care about privacy, Cannataci says, but people needed to be more aware of their digital footprint and what it says about them.
“While people may remember what they’ve put on Facebook, one thing we have found out is the extent to which they are leaving digital footprints all over the place. People are not aware that every click they make, the sheer amount of information they are leaving behind them,” he said.