Data retention needs cost-benefit analysis
The Federal Government should not force internet service providers (ISPs) to retain information on email and other data from Australian customers until it conducts a cost-benefit analysis and justifies to the public why law enforcement agencies need such information, a Senate committee has advised.
A Senate committee investigation into the adequacy of protections for the privacy of Australians online delivered its report (PDF) today. The report advised that before the Attorney-General proceeds with any data retention scheme it must first be proven that such a scheme would make it worthwhile invading users' privacy.
The senate inquiry was first launched after ZDNet Australia broke the news that the Attorney-General's Department was looking into a data retention scheme.
"The committee's central concerns about the proposal are the very real possibilities that it is unnecessary, will not provide sufficient benefit to law enforcement agencies, and is disproportionate to the end sought to be achieved. The proposal has very serious privacy implications, even if one accepts the arguments of the Attorney-General's Department and AFP that the same information is already available for fixed-line telephone records," the committee said.
The committee noted that the information that would be held under the scheme would not serve any other purpose other than use by law enforcement agencies, and would be a "significant departure" from the principals of Australia's privacy regulation. The committee also noted that much of it would not be useful if criminals knew how to get around it.
"Furthermore, the committee considers that there is a very real risk that the most serious, tech-savvy criminals — particularly those involved in fraud and child pornography — will be able to evade monitoring in any respect as a result of technological developments."
If the Attorney-General's department was to pursue such a scheme, the committee has recommended that the government conduct an "extensive analysis of the costs, the benefits and the risks" of the scheme. The government must then justify why any collected information is required, how much it will cost ISPs and how the government intends to monitor the scheme to ensure the data is stored securely.
The committee has also recommended that the Attorney-General's department consult with a wider range of stakeholders before pursuing any proposal further, including privacy experts such as the Australian Privacy Foundation.
The reason for this level of detail, the committee said, was to ensure that the public was fully informed, unlike when the details of the scheme were first revealed.
"There is a lot of misinformation and rumour about the scheme, and it seems to the committee that this is largely due to the Attorney-General's Department's narrow consultations on the issue to date. While industry has been consulted, there has not yet been any discussion with the broader community or public interest and civil liberties organisations," the committee said. "While the committee acknowledges the Attorney-General's Department's explanation for this, the lack of information available to the public about the proposal has resulted in confusion, mistrust and fear about the proposal."
Among the other eight recommendations made by the committee were suggestions that the Australian Privacy Commissioner should also have powers to investigate potential breaches of privacy online, and should have the power to act on issues where users may have consented to handing over privacy in a consent form but may not have read the full detail, known as the "tick and flick". The committee also advised that although small businesses are exempt from the Privacy Act, small businesses that deal with Australians online and have a large amount of data about those customers should be subject to the Act. The Office of the Privacy Commissioner should also work with internet companies and ISPs to develop a model of "Do Not Track" to ensure that Australians can opt out of tracking of their online behaviour through internet cookies.
In a statement released this afternoon, committee chair Liberal Senator Mary Jo Fisher said the government needs to find a balance between protecting privacy and ensuring law enforcement agencies can do their jobs.
"Online behaviour and its data consequences don't really have a parallel in the offline world, which makes it hard to 'police' with offline thinking," she said "While we put more about ourselves 'out there', the bad guys are finding the internet easy to disguise their real identities. This makes it extra hard for law enforcement."
In hearings the committee held late last year, the AFP argued that data retention policies would just be maintaining the status quo for telecommunications interception. Last month the Attorney-General's Department advised a parliamentary hearing that if the government accedes to the European Convention on Cybercrime, data retention would be targeted to specific individuals suspected of serious crime.