Friday, March 20, 2015

Dear Senator, Please strike a better balance on metadata.

Dear Senator,

Journalists aren't the only people with sensitive metadata.  

Journalists' sources, lawyers, doctors, you and I, and countless others create digital data about ourselves that betrays our own expectations of privacy.

As many MPs in the House have already explained, law enforcement agencies can currently access our metadata with little oversight.

There's a need to tighten up access to our metadata and better protect our privacy.

The 'Data Retention' bill presents an opportunity to protect everyone's metadata in a way that has never been achieved in Australia.

But although the bill in its current form makes it slightly harder to access our metadata, it creates more metadata by demanding service providers keep certain information for two years.

Moreover, despite the best efforts of the parliamentary committee and individual MPs who have argued for improvements, the bill does not strike the right balance between privacy and law enforcement. 

It errs on the side of intruding into our private lives above the needs of security and law enforcement.

The argument that the 'Data Retention' bill creates a regime of "mass surveillance" is unhelpfully overstating the impact of the bill. 

But the bill oversteps the precarious balance between privacy and safety in a number of important ways that could be remedied in the Senate with appropriate amendments:

1. Serious crimes: Access to metadata won't be limited to the investigation of serious crimes.

The parliamentary committee reporting on the bill decided not to limit access to the investigation of serious crimes as requested by several key legal bodies. Instead the seriousness of the offence is one of several considerations in granting access.

Key to this decision was Australia's commitment to the Cybercrime Convention, even though this could be resolved by including offences under the Convention within the scope of 'serious crimes'.

The bill can be amended to limit metadata access to the investigation of serious crimes with 'serious crimes' defined to meet appropriate obligations.

2. Location data: The parliamentary committee acknowledged this was the most sensitive of all metadata required to be retained under the bill.  

Data about where we have used our devices while we walk, run, have coffee or wait for a bus goes beyond our understanding of 'metadata'.  It is much more intrusive.

Data about our location should be treated in the same way as content data.  A warrant should be required for access to data about where someone has been - in the same way a warrant is required for information about what someone has said.

The bill should be amended to remove location data from the set of metadata and clarifying a warrant is required.

3. Warrants:  This brings us to whether warrants should be required for access to all metadata.

The bill does tighten access to our metadata by limiting the number of agencies that can apply for data and by raising the threshold for granting access (the decision maker needs to consider the gravity and proportionality of the intrusion into privacy).

The additional requirement for a warrant would not, as argued, bring the system of access to a grinding halt, but would provide us all with the safeguards we expect.

Currently, our metadata can be accessed too easily. This is an opportunity to protect our metadata and make sure it is only accessed when warranted.

A warrant system for all metadata could be introduced into the bill.

4. Retention period: Two years is at least 12 months too long.  

Many would argue that no case has been made for a mandatory retention period: that not one enforcement agency was able to prove to the committee that storing metadata for two years would result in significantly better safety and greater prosecution of criminals.

Evidence produced for the committee showed that most requests for metadata occur in within six months of the data being created with 90 percent of requests generally occurring in the first 12 months.

Requiring retention for two years creates a cost and infrastructure burden for service providers (and consumers) that has not been justified by a clearly identified law enforcement need.

A shorter period of 6-12 months should be set - with a requirement for review to demonstrate the need for a mandatory period.

5. Creation of data: Despite government assurances that the bill only requires the retention of data already stored by service providers, it's clear this isn't the case.

A section of the bill requires providers to store the defined metadata if it's not already retained - and several companies have confirmed they don't currently retain all of the specified metadata.

Requiring companies to retain metadata they wouldn't ordinarily retain places an unfair burden on service providers and goes beyond the government's assurances about the impact of the bill.

Metadata not currently retained by service providers for commercial purposes should not be required under the bill.

6. Secret warrants: The introduction of a journalist information warrant to guarantee stronger protections for journalists' metadata (although not that of their sources) has a sting in the tail: anyone who discloses that a journalist information warrant has been sought faces two years in prison.

Attaching a secrecy provision to the warrant concession for journalists undermines its value in protecting free speech.

We will never know if warrants for journalists' metadata are being sought, for what purposes, or whether they are being appropriately granted and denied.

There is international recognition that protection of journalists’ sources is a critical aspect of freedom of expression that should be protected by all nations. 

The secrecy provision closes the books on any discussion on whether metadata is being used to undermine the freedom of the Australian press.

The provision prohibiting the disclosure of information about warrants for journalists' metadata must be removed.

This list of six concerns is not exhaustive.  It doesn't address the costs and difficulties imposed on service providers.  Nor the concerns raised about the regime creating a 'honey-pot' of data for potential hackers.

Critics have also pointed out that criminals can avoid any tracking by using communication systems beyond the scope or capacity of the data retention scheme.

The starting point for debate is that we need better protection for our metadata.  This bill is the result of a unsatisfactory barter between better protection for citizens and more data for law enforcers.

Please Senator, keep haggling.

No comments: