Wednesday, March 11, 2015

Five questions you should ask about the new metadata laws

The federal government has said it wants the new metadata legislation to be passed as soon as possible.  There are some important questions about the laws that you, as the subject of metadata, should ask.

In a nutshell, the laws make it compulsory for mobile phone and Internet providers to keep, for two years, information about you – their customers.

The information can then be accessed by law enforcement agencies in the investigation of crimes.

Agencies such as ASIO and the Australian Federal Police, as well as state police, say they use metadata to solve the vast majority of cases involving terrorism, sexual exploitation of children and cybercrimes.

The laws are not equivalent to mass surveillance in the vein of Edward Snowden’s revelations about the NSA in the US.

But there are reasons for nervousness and disquiet about the proposed way in which metadata will be collected, stored and accessed under the new regime.

Is the regime an unjustifiable intrusion?  Will technological advances render it unworkable and useless?  Will the legislation actually prevent or solve serious crimes?

These deeper questions aside, on a practical front, if the government presses ahead with its legislation, as it intends to, key questions need to be asked:

·      Does ‘metadata’ really exclude content?
·      Should data be kept about your location?
·      Is two years too long?
·      Who should be able to access your metadata?
·      Should a warrant be required for access?

1.    Does ‘metadata’ really exclude content?

At this stage, the ‘metadata’ required to be stored will include names and addresses of account holders, the type, source, destination, time, date and duration of a communication, and the location of the device at the beginning and end of a connection.

Content and web-browsing histories are explicitly excluded.

However, the requirement that ‘source’ and ‘destination’ information be retained opens the potential for the reconstruction of web-browsing histories.  This is disputed by the Attorney-General’s Department.

So while it is clear that service providers are not required to retain a person’s web-browsing history, the information that is retained could potentially be used to reconstruct a web-browsing history – although this would go against the intent and scope of the law.

Does ‘metadata’ really exclude content? Legally, yes, but it depends on how courts allow information about source and destination to be used.

2.    Should data be kept about your location?

The government says the legislation will not allow your precise location to be tracked, but, in practice, sensitive information about the location of a device while it is connected will be retained and accessed and can be used to trace your movements.

The legislation explicitly excludes detailed and continuous location records.  This is intended to clarify that information amounting to geo-tracking is not to be retained.

The information that must be retained is the location of the device at the beginning and end of a connection ‘session’.  A ‘session’ can last from several minutes and hours to many months.

With respect to phone calls, or lap-tops, the duration of a ‘session’ can be clearly understood.  When it comes to Internet connections of a smart-phone, the concept of a ‘session’ is more difficult to quantify. 

The legislation says only information that is ‘used’ by the service provider needs to be retained.  But the concern is that if a service provider has detailed records about the accurate location of a device on a continuous basis, this information will be available to law enforcement agencies.

Should data about your location be dropped from the list of required metadata?

Given the sensitivities of this sort of information, the retention of location data should be removed from the legislation.  

Location data should be treated like 'content' data.  ASIO and the AFP and other law enforcement agencies can access this information via processes with higher levels of oversight including a warrant.

3.    Is two years too long?

Evidence produced for the ParliamentaryJoint Committee reporting on the bill showed that metadata is most frequently sought within 12 months of its creation.

Some crimes do require longer investigations, but the evidence from a range of state police and overseas experiences demonstrated that only around 10% of requests related to data that was more than 12 months old.

The blanket rule of two years could be reduced to 12 months with the capacity for extensions to be requested under special conditions.

Some metadata is already held for longer periods, but the intention of the legislation is to set a minimum standard across the industry.  The question is whether the cost and complexity of establishing retention of metadata for two years is justified by law enforcement needs.

Is two years too long?  The evidence suggests 12 months would achieve a better balance between cost and usefullness.

4.    Who should be able to access your metadata?

One of the clearly positive features of the legislation is that it tightens up the rules around which agencies can access information. 

Criminal law enforcement agencies will be able to access content and other stored information under warrant.  It has been recommended that ASIC and the ACCC be included as law enforcement agencies.

Another list of ‘enforcement agencies’ will be able to access the retained metadata without a warrant. In an ‘emergency’, however, the Attorney-General will be able to declare an entity to be an ‘enforcement agency’.

The list may include agencies like ASIC, the ATO and local councils, but has not yet been finalised.

The Parliamentary Committee reporting on the bill recommended that data kept under the regime should not be made available for civil disputes.

You should be allowed to access your own metadata and Telstra has recently made this process available.

5.    Should a warrant be required for access?

The process for accessing metadata is an area of great concern.  Currently, any ‘authorised officer’ of an enforcement agency can approve access – a self-serve system of sorts.

There is a chorus of legal and human rights advocates calling for a higher threshold for access to metadata. 

Predictably, law enforcement agencies are concerned about operational delays or extra costs associated with a warrant mechanism.

An administrative process that provides greater control over access to metadata has high levels of support, but at this stage hasn't been included in the legislation.

The Committee has recommended a slightly higher threshold for the authorised officers to consider when granting access to metadata (“that it be proportionate to the intrusion into privacy”), but challenges to this can only take place after the intrusion has already happened.

Should a warrant be required for access?  In order to prevent misuse of data and unjustified intrusions into people’s privacy, authorisation should be required from an independent authority (whether it be a magistrate or tribunal).

Clarifying the use of 'source' and 'destination' data, dropping location data from the list and treating it as content, reducing the retention period to 12 months and requiring a form of warrant for access would satisfy some of the key concerns about the metadata retention bill.

Ongoing concerns remain about journalists and whistleblowers, security of data, and whether intrusions into privacy are justified for the public interest of law enforcement.

No comments: