A review of the mass surveillance scheme established by the Abbott government six years ago has revealed how it is being widely abused in ways voters were assured would never happen.
The government’s data retention regime, which compels communications providers to retain personal information on service use by customers for two years, is currently the subject of a statutory review by the Parliamentary Joint Committee on Intelligence and Security.
When the Abbott government introduced the scheme in 2014, it assured Australians that the unprecedented level of surveillance of their communications metadata — which can be used to construct a detailed portrait of an individual’s life beyond that provided by any content they may use — would be subject to strict controls.
Its use would be limited to serious offences and a small number of security agencies — just 22 across the state and federal governments.
Those commitments have turned out to be false.
Telecommunications companies and the Communications Alliance, the body representing most telecommunications providers in Australia, made submissions to the committee last year that scores of bodies other than the 22 security agencies specified in the data retention legislation were routinely seeking retained data.
According to the Communications Alliance, bodies such as local councils, the Victorian racing integrity regulator, taxi bodies, a vet body and anti-dumping agencies have used a loophole under which they are able to request retained data from telecommunications providers, via s.280 of the Telecommunications Act.
In evidence to the committee earlier this month, the Communications Alliance went further, explaining “when agencies outside the 22 CLEAs make data requests … those requests can be imprecise. Sometimes these agencies don’t know exactly what they’re looking for or what they’re trying to find. Often they also have difficulty interpreting the data that they receive, come back to the service provider and try to work their way through it.”
This has also led to the content of communications such as the URLs users are accessing being disclosed by providers, in direct defiance of the intended limitation of data retention to metadata only.
Then-attorney-general George Brandis notoriously made a fool of himself trying to explain that the scheme would be strictly confined to metadata rather than content such as URLs, but according to Christiane Gillespie-Jones of the Communications Alliance, URLs are “sometimes, but not always by far, being provided by providers because of the difficulty of separating out specific data points. I suspect that the same might be the case with location data.”
Gillespie-Jones also told the committee retained data was being obtained for civil court proceedings, yet again in defiance of the purported limitation of data retention for serious criminal offences.
Data that would otherwise be deleted, but which is now being retained at the request of security agencies, is being caught by other provisions of telecommunications legislation, and processes such as court subpoenas, and dragged into activities voters were assured it would never be used in.
At a previous hearing, staff of the Commonwealth Ombudsman told the committee they were also aware of over 100 instances of information being incorrectly provided to security agencies in 2017-18, including over 40 cases of information for the wrong period being provided and 13 cases of data not asked for.
The Ombudsman’s office also argued that it was straightforward for security agencies to evade the requirements of the “journalist information warrant” process, intended to provide an extra hurdle when agencies want to obtain metadata to identify a journalist’s sources:
If an agency has a sense of who the source might be, they can get an internal authorisation to access the potential source’s data and, in so doing, identify those phone numbers and so forth that the potential source was communicating with, and it may turn out that one of those is the journalist. And so there is a way in which the journalist’s source is identified but without accessing a journalist information warrant.
Security agencies are also routinely keeping data indefinitely (something not prohibited by the data retention laws) enabling them to connect data from different requests and thus assemble a richly detailed portrait of individuals.
Each new request potentially adds further layers and connections to existing data on targets such as whistleblowers, journalists, lawyers — some of the recent targets of the Australian Federal Police and ASIO.
Data retention critics repeatedly warned that each of these outcomes would inevitably result from such a scheme: that retaining user data would prove an irresistible honeypot for non-security agencies, that mission creep would mean the scheme would stop being about “the most serious criminal offences” and start being about parking fines and rubbish bins.
They warned that metadata and content could not be cleanly separated, that journalists and whistleblowers would be the target of the scheme and that agencies would compile data in order to construct ongoing profiles of large numbers of people.
Those critics were ignored at the time, particularly by the media, which only woke up to the threat posed by data retention at the last minute and were placated with an exception that, as the Ombudsman representatives noted, is trivially easy to evade.
It’s now up to the government-controlled intelligence and security committee to push for fixes to a scheme that was fundamentally flawed from the outset.