A review of the mass surveillance scheme established by the Abbott government six years ago has revealed how it is being widely abused in ways voters were assured would never happen.
The government’s data retention regime, which compels communications providers to retain personal information on service use by customers for two years, is currently the subject of a statutory review by the Parliamentary Joint Committee on Intelligence and Security.
When the Abbott government introduced the scheme in 2014, it assured Australians that the unprecedented level of surveillance of their communications metadata — which can be used to construct a detailed portrait of an individual’s life beyond that provided by any content they may use — would be subject to strict controls.
Its use would be limited to serious offences and a small number of security agencies — just 22 across the state and federal governments.
Those commitments have turned out to be false.
Telecommunications companies and the Communications Alliance, the body representing most telecommunications providers in Australia, made submissions to the committee last year that scores of bodies other than the 22 security agencies specified in the data retention legislation were routinely seeking retained data.
According to the Communications Alliance, bodies such as local councils, the Victorian racing integrity regulator, taxi bodies, a vet body and anti-dumping agencies have used a loophole under which they are able to request retained data from telecommunications providers, via s.280 of the Telecommunications Act.
In evidence to the committee earlier this month, the Communications Alliance went further, explaining “when agencies outside the 22 CLEAs make data requests … those requests can be imprecise. Sometimes these agencies don’t know exactly what they’re looking for or what they’re trying to find. Often they also have difficulty interpreting the data that they receive, come back to the service provider and try to work their way through it.”
This has also led to the content of communications such as the URLs users are accessing being disclosed by providers, in direct defiance of the intended limitation of data retention to metadata only.
Then-attorney-general George Brandis notoriously made a fool of himself trying to explain that the scheme would be strictly confined to metadata rather than content such as URLs, but according to Christiane Gillespie-Jones of the Communications Alliance, URLs are “sometimes, but not always by far, being provided by providers because of the difficulty of separating out specific data points. I suspect that the same might be the case with location data.”
Gillespie-Jones also told the committee retained data was being obtained for civil court proceedings, yet again in defiance of the purported limitation of data retention for serious criminal offences.
Data that would otherwise be deleted, but which is now being retained at the request of security agencies, is being caught by other provisions of telecommunications legislation, and processes such as court subpoenas, and dragged into activities voters were assured it would never be used in.
At a previous hearing, staff of the Commonwealth Ombudsman told the committee they were also aware of over 100 instances of information being incorrectly provided to security agencies in 2017-18, including over 40 cases of information for the wrong period being provided and 13 cases of data not asked for.
The Ombudsman’s office also argued that it was straightforward for security agencies to evade the requirements of the “journalist information warrant” process, intended to provide an extra hurdle when agencies want to obtain metadata to identify a journalist’s sources:
If an agency has a sense of who the source might be, they can get an internal authorisation to access the potential source’s data and, in so doing, identify those phone numbers and so forth that the potential source was communicating with, and it may turn out that one of those is the journalist. And so there is a way in which the journalist’s source is identified but without accessing a journalist information warrant.
Security agencies are also routinely keeping data indefinitely (something not prohibited by the data retention laws) enabling them to connect data from different requests and thus assemble a richly detailed portrait of individuals.
Each new request potentially adds further layers and connections to existing data on targets such as whistleblowers, journalists, lawyers — some of the recent targets of the Australian Federal Police and ASIO.
Data retention critics repeatedly warned that each of these outcomes would inevitably result from such a scheme: that retaining user data would prove an irresistible honeypot for non-security agencies, that mission creep would mean the scheme would stop being about “the most serious criminal offences” and start being about parking fines and rubbish bins.
They warned that metadata and content could not be cleanly separated, that journalists and whistleblowers would be the target of the scheme and that agencies would compile data in order to construct ongoing profiles of large numbers of people.
Those critics were ignored at the time, particularly by the media, which only woke up to the threat posed by data retention at the last minute and were placated with an exception that, as the Ombudsman representatives noted, is trivially easy to evade.
It’s now up to the government-controlled intelligence and security committee to push for fixes to a scheme that was fundamentally flawed from the outset.
Has anyone in this mendacious mob defined “serious offence”?
What was the vote in parliament to pass these “laws to break laws”?
And now Dutton wants more power to use the ASD against Australians. Another step into an unhealthy authoritarian police state.
I think the critics would be less worried if these extraordinary powers where used only in extraordinary situations. But that is not the case.
For example when the anti encryption laws where introduced the government played the terrorism and child exploitation cards to justify the need but then tried to get the legislation passed so that it would apply to almost any suspected crime. And we will see the same modus operandi again with the ASD legislation.
This is what results when MPs are clueless about IT. Some of the current bunch would be hard pressed to understand anything more demanding than despatching an email or doing a Google search.
And yet they are voting on bills which increasingly compromise our citizens and erode privacy. It’s akin to handing a loaded gun to a toddler, it can only end in destruction.
Agreed , they’re just a bunch of dangerous amateurs ..now we just have to wait until we are under surveillance by dangerous efficient experts..
What!
Next you’ll be telling me that burning fossil fuels leads to climate change, and that the summer fires weren’t caused by greenies and lack of hazard reduction burns.
You have to work hard to fool the Australian people.
HARD. As a bowling ball.
Oh hold on, bowling balls are pretty hard.
Dumb, me? Who you calling dumb.
And of course, when these concerns were legitimately raised at the time, those raising the concerns were simply brushed aside. One of the classic hallmarks of conservative governments is the level of control they like to be able to exercise over their citizens. They, of course, don’t exercise much control over the rich and business – oh no, no ,no. They can be trusted to make decisions in the interests of a free-market. It is individual citizens and any mechanism they might use to band together in any form of collective, that are the real threat. This is the archetypal way that conservative governments progressively and surreptitiously erode the rights of citizens and drag us inexorably towards something that is more indicative of fascism rather than democracy.
I hear routinely that we have lost trust in our political institutions, but when Mr Potato Head and Scotty from Marketing insist they are taking these steps to “keep Australians safe”, we tend to leave it to them rather than asking ourselves where what they are proposing will end up – the real question that should be asked. When you don’t trust someone, I thought you would assume the worst until you had evidence that they had earned trust on a particular matter, but apparently, this is another example of us saying one thing and doing another.