Friday, March 20, 2015

Dear Senator, Please strike a better balance on metadata.

Dear Senator,

Journalists aren't the only people with sensitive metadata.  

Journalists' sources, lawyers, doctors, you and I, and countless others create digital data about ourselves that betrays our own expectations of privacy.

As many MPs in the House have already explained, law enforcement agencies can currently access our metadata with little oversight.

There's a need to tighten up access to our metadata and better protect our privacy.

The 'Data Retention' bill presents an opportunity to protect everyone's metadata in a way that has never been achieved in Australia.

But although the bill in its current form makes it slightly harder to access our metadata, it creates more metadata by demanding service providers keep certain information for two years.

Moreover, despite the best efforts of the parliamentary committee and individual MPs who have argued for improvements, the bill does not strike the right balance between privacy and law enforcement. 

It errs on the side of intruding into our private lives above the needs of security and law enforcement.

The argument that the 'Data Retention' bill creates a regime of "mass surveillance" is unhelpfully overstating the impact of the bill. 

But the bill oversteps the precarious balance between privacy and safety in a number of important ways that could be remedied in the Senate with appropriate amendments:

1. Serious crimes: Access to metadata won't be limited to the investigation of serious crimes.

The parliamentary committee reporting on the bill decided not to limit access to the investigation of serious crimes as requested by several key legal bodies. Instead the seriousness of the offence is one of several considerations in granting access.

Key to this decision was Australia's commitment to the Cybercrime Convention, even though this could be resolved by including offences under the Convention within the scope of 'serious crimes'.

The bill can be amended to limit metadata access to the investigation of serious crimes with 'serious crimes' defined to meet appropriate obligations.

2. Location data: The parliamentary committee acknowledged this was the most sensitive of all metadata required to be retained under the bill.  

Data about where we have used our devices while we walk, run, have coffee or wait for a bus goes beyond our understanding of 'metadata'.  It is much more intrusive.

Data about our location should be treated in the same way as content data.  A warrant should be required for access to data about where someone has been - in the same way a warrant is required for information about what someone has said.

The bill should be amended to remove location data from the set of metadata and clarifying a warrant is required.

3. Warrants:  This brings us to whether warrants should be required for access to all metadata.

The bill does tighten access to our metadata by limiting the number of agencies that can apply for data and by raising the threshold for granting access (the decision maker needs to consider the gravity and proportionality of the intrusion into privacy).

The additional requirement for a warrant would not, as argued, bring the system of access to a grinding halt, but would provide us all with the safeguards we expect.

Currently, our metadata can be accessed too easily. This is an opportunity to protect our metadata and make sure it is only accessed when warranted.

A warrant system for all metadata could be introduced into the bill.

4. Retention period: Two years is at least 12 months too long.  

Many would argue that no case has been made for a mandatory retention period: that not one enforcement agency was able to prove to the committee that storing metadata for two years would result in significantly better safety and greater prosecution of criminals.

Evidence produced for the committee showed that most requests for metadata occur in within six months of the data being created with 90 percent of requests generally occurring in the first 12 months.

Requiring retention for two years creates a cost and infrastructure burden for service providers (and consumers) that has not been justified by a clearly identified law enforcement need.

A shorter period of 6-12 months should be set - with a requirement for review to demonstrate the need for a mandatory period.

5. Creation of data: Despite government assurances that the bill only requires the retention of data already stored by service providers, it's clear this isn't the case.

A section of the bill requires providers to store the defined metadata if it's not already retained - and several companies have confirmed they don't currently retain all of the specified metadata.

Requiring companies to retain metadata they wouldn't ordinarily retain places an unfair burden on service providers and goes beyond the government's assurances about the impact of the bill.

Metadata not currently retained by service providers for commercial purposes should not be required under the bill.

6. Secret warrants: The introduction of a journalist information warrant to guarantee stronger protections for journalists' metadata (although not that of their sources) has a sting in the tail: anyone who discloses that a journalist information warrant has been sought faces two years in prison.

Attaching a secrecy provision to the warrant concession for journalists undermines its value in protecting free speech.

We will never know if warrants for journalists' metadata are being sought, for what purposes, or whether they are being appropriately granted and denied.

There is international recognition that protection of journalists’ sources is a critical aspect of freedom of expression that should be protected by all nations. 

The secrecy provision closes the books on any discussion on whether metadata is being used to undermine the freedom of the Australian press.

The provision prohibiting the disclosure of information about warrants for journalists' metadata must be removed.

This list of six concerns is not exhaustive.  It doesn't address the costs and difficulties imposed on service providers.  Nor the concerns raised about the regime creating a 'honey-pot' of data for potential hackers.

Critics have also pointed out that criminals can avoid any tracking by using communication systems beyond the scope or capacity of the data retention scheme.

The starting point for debate is that we need better protection for our metadata.  This bill is the result of a unsatisfactory barter between better protection for citizens and more data for law enforcers.

Please Senator, keep haggling.

Wednesday, March 11, 2015

Five questions you should ask about the new metadata laws

The federal government has said it wants the new metadata legislation to be passed as soon as possible.  There are some important questions about the laws that you, as the subject of metadata, should ask.

In a nutshell, the laws make it compulsory for mobile phone and Internet providers to keep, for two years, information about you – their customers.

The information can then be accessed by law enforcement agencies in the investigation of crimes.

Agencies such as ASIO and the Australian Federal Police, as well as state police, say they use metadata to solve the vast majority of cases involving terrorism, sexual exploitation of children and cybercrimes.

The laws are not equivalent to mass surveillance in the vein of Edward Snowden’s revelations about the NSA in the US.

But there are reasons for nervousness and disquiet about the proposed way in which metadata will be collected, stored and accessed under the new regime.

Is the regime an unjustifiable intrusion?  Will technological advances render it unworkable and useless?  Will the legislation actually prevent or solve serious crimes?

These deeper questions aside, on a practical front, if the government presses ahead with its legislation, as it intends to, key questions need to be asked:

·      Does ‘metadata’ really exclude content?
·      Should data be kept about your location?
·      Is two years too long?
·      Who should be able to access your metadata?
·      Should a warrant be required for access?

1.    Does ‘metadata’ really exclude content?

At this stage, the ‘metadata’ required to be stored will include names and addresses of account holders, the type, source, destination, time, date and duration of a communication, and the location of the device at the beginning and end of a connection.

Content and web-browsing histories are explicitly excluded.

However, the requirement that ‘source’ and ‘destination’ information be retained opens the potential for the reconstruction of web-browsing histories.  This is disputed by the Attorney-General’s Department.

So while it is clear that service providers are not required to retain a person’s web-browsing history, the information that is retained could potentially be used to reconstruct a web-browsing history – although this would go against the intent and scope of the law.

Does ‘metadata’ really exclude content? Legally, yes, but it depends on how courts allow information about source and destination to be used.

2.    Should data be kept about your location?

The government says the legislation will not allow your precise location to be tracked, but, in practice, sensitive information about the location of a device while it is connected will be retained and accessed and can be used to trace your movements.

The legislation explicitly excludes detailed and continuous location records.  This is intended to clarify that information amounting to geo-tracking is not to be retained.

The information that must be retained is the location of the device at the beginning and end of a connection ‘session’.  A ‘session’ can last from several minutes and hours to many months.

With respect to phone calls, or lap-tops, the duration of a ‘session’ can be clearly understood.  When it comes to Internet connections of a smart-phone, the concept of a ‘session’ is more difficult to quantify. 

The legislation says only information that is ‘used’ by the service provider needs to be retained.  But the concern is that if a service provider has detailed records about the accurate location of a device on a continuous basis, this information will be available to law enforcement agencies.

Should data about your location be dropped from the list of required metadata?

Given the sensitivities of this sort of information, the retention of location data should be removed from the legislation.  

Location data should be treated like 'content' data.  ASIO and the AFP and other law enforcement agencies can access this information via processes with higher levels of oversight including a warrant.

3.    Is two years too long?

Evidence produced for the ParliamentaryJoint Committee reporting on the bill showed that metadata is most frequently sought within 12 months of its creation.

Some crimes do require longer investigations, but the evidence from a range of state police and overseas experiences demonstrated that only around 10% of requests related to data that was more than 12 months old.

The blanket rule of two years could be reduced to 12 months with the capacity for extensions to be requested under special conditions.

Some metadata is already held for longer periods, but the intention of the legislation is to set a minimum standard across the industry.  The question is whether the cost and complexity of establishing retention of metadata for two years is justified by law enforcement needs.

Is two years too long?  The evidence suggests 12 months would achieve a better balance between cost and usefullness.

4.    Who should be able to access your metadata?

One of the clearly positive features of the legislation is that it tightens up the rules around which agencies can access information. 

Criminal law enforcement agencies will be able to access content and other stored information under warrant.  It has been recommended that ASIC and the ACCC be included as law enforcement agencies.

Another list of ‘enforcement agencies’ will be able to access the retained metadata without a warrant. In an ‘emergency’, however, the Attorney-General will be able to declare an entity to be an ‘enforcement agency’.

The list may include agencies like ASIC, the ATO and local councils, but has not yet been finalised.

The Parliamentary Committee reporting on the bill recommended that data kept under the regime should not be made available for civil disputes.

You should be allowed to access your own metadata and Telstra has recently made this process available.

5.    Should a warrant be required for access?

The process for accessing metadata is an area of great concern.  Currently, any ‘authorised officer’ of an enforcement agency can approve access – a self-serve system of sorts.

There is a chorus of legal and human rights advocates calling for a higher threshold for access to metadata. 

Predictably, law enforcement agencies are concerned about operational delays or extra costs associated with a warrant mechanism.

An administrative process that provides greater control over access to metadata has high levels of support, but at this stage hasn't been included in the legislation.

The Committee has recommended a slightly higher threshold for the authorised officers to consider when granting access to metadata (“that it be proportionate to the intrusion into privacy”), but challenges to this can only take place after the intrusion has already happened.

Should a warrant be required for access?  In order to prevent misuse of data and unjustified intrusions into people’s privacy, authorisation should be required from an independent authority (whether it be a magistrate or tribunal).

Clarifying the use of 'source' and 'destination' data, dropping location data from the list and treating it as content, reducing the retention period to 12 months and requiring a form of warrant for access would satisfy some of the key concerns about the metadata retention bill.

Ongoing concerns remain about journalists and whistleblowers, security of data, and whether intrusions into privacy are justified for the public interest of law enforcement.

Tuesday, March 10, 2015

Retention v creation? Turnbull is wrong on metadata

Government ministers have had trouble convincing voters they know what they’re talking about when they spruik ‘metadata’ retention.

From Attorney-General George Brandis’ embarrassing inability to complete a sentence when asked to define metadata, to Prime Minister Tony Abbott’s incomprehensible postal analogy, the topic has appeared beyond the grasp of the pre-Internet-generation front bench.

Even Communications Minister Malcolm Turnbull, with his capacity to smooth-talk a path through political thickets, hasn’t managed to convince technically savvy voters that he’s on top of metadata.

If he hasn’t personally waded through the Parliamentary Joint Committee’s 350-page report into the Data Retention Bill, he should at least avoid making comments that are wrong – like the assurance the bill retains a degree of status quo.

Mr Turnbull has repeatedly insisted the legislation is not requiring “telcos to record or retain information they are not currently recording”.

“That is information that is already being kept and it’s clearly, it’s, it’s an essential part of the [Internet Service Provider’s] business,” he said on ABC radio in August last year.

He went on to say that “obviously, if you were asking them to capture a whole additional set of data – you know, log sessions and so forth – which they are not currently recording or retaining” costs would increase.

He has given the same assurances on the Today show (“data that they are currently recording”) and most recently on ABC’s 7.30 (“do what they are currently doing”).

The importance of the assurance that service providers will only be required to retain data they are currently recording is reflected in the number of times it has been given.

If there were requirements on service providers to collect additional data, concerns about costs and intrusions into people’s privacy would increase.

But Mr Turnbull is wrong.

The data retention bill, if passed in its current state, or with the amendments recommended by the joint committee, will include an element of data creation.

Section 187A(6) of the bill covers this scenario by requiring that service providers retain certain data even if they are not currently doing so.

The government’s explanatory notes for the bill make it clear that if service providers are not creating the required metadata in their current business practices, then they are “required to use other means to create this information”.  

In its submission to the committee, the Communications Alliance criticised the metadata retention proposals as “a data creation regime as well as a data retention regime for all those providers who do not presently retain” all of the proposed types of data.

ASIO and the Attorney-General’s Department concurred that some data, while available to service providers, exists only fleetingly and is not currently retained.

ASIO provided an indication of the current retention times showing that some Internet service providers don’t retain data that will be required:

Inline image 1

Due to the way some services are purchased, and changing technologies, not all service providers keep data about individual Internet connections – shown above as “0 days”.

Under the new bill, all service providers will be required to keep information about source, destination, date, time and duration of an Internet connection.

This may not apply to a sixth category of data not listed in the above table: the most sensitive data being proposed under the committee’s recommended amendments to the bill – location data. 

The committee recommended that the government mandate the collection and retention of data that provides information about “the location of equipment, or a line, used in connection with a communication”.

This is the most controversial metadata proposed for retention. The committee’s intention is that this be confined to the location of a device at the beginning and end of a “session” – such as the cell-tower to which a phone connects at the beginning and the end of a call.

The definition excludes “continuous” location records: GPS data, geo-tracking and what Senator Scott Ludlum describes as “your precise location everywhere you’re carrying your mobile phone”.  However, the nebulous definition of a ‘session’ renders it contentious.

The Australian Privacy Commissioner submitted that even the limited scope of location data could become the equivalent of location tracking in some instances.

In any case, not all service providers currently collect and retain data about the location of devices at the beginning and end of communication sessions.

The Communications Alliance spokesperson said told the committee “on the mobile side, any information about mobile location may not be being stored in systems at all because there is simply no business reason to keep track of where your customers are”.

He added that providers “may keep that for a very short period of time to deal with customer complaints or technical complaints about the operation of your network”.

A small and convoluted section of the bill appears to limit the collection of location data to only that which service providers actually use – although the wording is laden with double negatives and vague terminology making it difficult to comprehend.  The government’s explanation is no clearer:

“[A] service provider is not required to keep information about the location of a telecommunications device that is not information used by the service provider in relation to the relevant service to which the device is connected.  This could include, for example, a record of which cell tower, base station or other network access point a device was connected to.”

So it appears that service providers don’t need to retain location data if they don’t ‘use’ it.  Lawyers, good luck with that.

The question of whether location information should be retained by service providers and accessed by law enforcement agencies at all is worthy of an entirely separate discussion. 

What’s important here is that the data retention scheme does contain an element of data creation – and the responsible minister should at the very least be aware of, and preferably up front, about this.