X
Tech

Data retention's value for money still not proven: Criminologist

The AU$750 million being spent on Australia's mandatory metadata retention scheme could buy a lot of crime-fighting, says criminologist Rick Sarre. Meanwhile, police are challenged by the rise of cyber crime.
Written by Stilgherrian , Contributor

Australian police have yet to show that mandatory metadata retention represents the best "bang for your buck" for criminal investigations, according to a leading criminologist. But the government is already taking steps beyond that with its newly-announced counter-encryption plans.

"It comes back to that very delicate debate about, well, if you're got nothing to hide then what's your problem? We haven't had that debate," said Rick Sarre, professor of Law and Criminal Justice at the University of South Australia.

"Maybe the encryption data debate is there because metadata has just simply not provided the sort of information we need, or metadata has provided such a wealth of information that we now want to go further and get the encrypted data. I tend to think it's the former."

Sarre also said that we need to consider the opportunity cost of mandatory metadata retention.

"The metadata retention scheme is being costed over the next 10 years at AU$750 million. I would have thought you could actually spend a lot of good programming within certain communities in Australia for that amount of money, for a far greater bang for your buck," he told the 5th International Conference on Cybercrime and Computer Forensics on Australia's Gold Coast on Tuesday.

"Authorities do tout it as being a lynchpin in policing of terrorism generally, and they'll say on a regular basis that they have frustrated 10 or 12 terrorist plots, but for operational reasons can't tell us whether or not it was actually metadata retention that provided that lynchpin information. Obviously the causal link is something that researchers like myself would like to see."

Sarre noted that privacy and human rights expectations can be damaged by sharing metadata with nations with less stringent controls on its use, and that data surveillance can be discriminatory in its targeting.

He quoted former Australian prime minister Sir Robert Menzies, who in 1939 said that "the greatest tragedy that could overcome a country would be for it to fight a successful war in defence of liberty and to lose its own liberty in the process".

"I'm concerned that one of the great tools just hasn't shown its effectiveness to my satisfaction, namely to overcome the privacy and surveillance concerns that most of us would expect in a civilised country," Sarre said.

"Of the Five Eyes, Australia is the only one that does not have some form of charter of rights, or bill of rights. One could whimsically say that probably makes it a bit easier for police, but of course far less easy for the communities in which policing occurs ... We do and should tout and value our ability to remain outside the all-surveying eyes of those agencies in Australia, albeit for honourable reasons, if those eyes are flying in the face of the sorts of liberties that we've come to expect."

Sarre was questioning the cost and potential risks of metadata retention as part of his more general presentation on the challenges that cyber crime poses for Australian police forces.

Australia's 60,000 police already have a complex job. As well as detecting crime, tracking down offenders, starting the prosecution processes, assisting the victims, and sometimes frustrating crime by their simple presence, they're also expected to handle the less tangible tasks of maintaining community safety and confidence, reducing fear, and keeping the public aware of risks.

This policing costs every Australian around AU$300 per year, according to Sarre, a figure that's rising by around 3.4 percent per year.

Police are now expected to fight cyber-enabled crime as well: fraudulent financial transactions; identity theft; the theft of electronic information for commercial gain, including piracy; money-laundering; child exploitation material (CEM); image-based sexual abuse; harassment, stalking, and other threatening behaviour; and terrorist recruitment and propaganda.

"We're asking police to be incredible persons in relation to every one of these things, which really has been added to their responsibilities just in the last 20 or so years, if not sooner than that," Sarre said.

"This is a big task. This requires a degree of specialisation which, for the most part, a little bit of training is not going to master, and yet police are designed and supposed to be masters of all those things at the same time."

Police are also expected to deal with what Sarre called "cyber-dependent crime", or "the whole malware thing". Police need a "far greater degree of sophistication" to deal with such attacks.

"People who are intent upon disrupting a business or destroying a database [can] do it far more quickly and far more easily with a stroke of a keyboard than they might ever have done with the throwing of a firebomb," he said.

"We are now asking our rank and file police, who are not specialised in this area, to have at their fingertips the sorts of tools required to meet these new challenges."

Many if not most cyber crime investigations are transnational, but Sarre said Australian police force are hamstrung by regional cross-jurisdictional challenges, where certain nations are increasingly a source of cyber crime. National cyber crime laws are often culturally and legally different from Australia's, and some nations have no specific electronic crime laws at all.

Given the complexity of fighting cyber crime, and the specialised knowledge and skills that fight requires, Sarre suggests that handing the reins to other agencies could be one part of the solution. Police have already shown their ability to collaborate on investigations with other agencies, such as the Australian Securities and Investments Commission (ASIC). "In relation to cyber crime, police are necessary, absolutely necessary and essential, but of course not sufficient," Sarre said.

Some cyber crime policing tasks could even be outsourced to the private sector, freeing up police for tasks that require or better fit their unique skillsets.

The armed forces have shifted logistics operations to the private sector, at least in areas where combat skills won't be needed, for example. Society realised long ago that you don't need a police officer to stand outside a bank. Outsourcing work related to investigations is highly confidential, though, so security and confidentiality risks would need to be managed.

"Police need to ensure that their responses are cost and time effective," Sarre said.

"Police have an important role to be dancing with the music, but not always leading the dance, or choosing the music. They can't do it all. Police have a crucial role, but I'm not sure that they have the best role, because after all they are not necessarily trained in this specialised area, even though they're expected to respond accordingly."

Sarre's paper, Metadata retention as a means of combatting terrorism and organized crime: a perspective from Australia, will be published in the Asian Journal of Criminology later in 2017.

Editorial standards