AGD stops Australia Post going cyber-Clouseau

Australia Post's rejected application for warrantless access to our stored telco data highlights the need for some consistency of standards -- and perhaps a new agency.
Written by Stilgherrian , Contributor

It would appear that the Attorney-General's Department (AGD) has done something sensible -- but to explain why, I'll need to scroll back a bit.

When mandatory telco data retention laws were passed in March 2015, Australia's favourite attorney-general, Senator George Brandis QC, emphasised their importance in fighting the very worst of crimes.

"Metadata is the basic building block in nearly every counter-terrorism, counter-espionage and organised crime investigation. It is also essential for child abuse and child pornography offences that are frequently carried out online," Brandis said in a joint statement with then communications minister Malcolm Turnbull.

"We also recognise that the right to privacy and the principle of freedom of the press are fundamental to our democracy. For these reasons, the Bill contains new and strengthened safeguards. These include the provision of new oversight powers to the Commonwealth Ombudsman; a reduction in the number of agencies accessing metadata from over 80 to 21; and specific protections for journalists and their sources."

But as ZDNet reported on Monday, more than 60 agencies want their warrantless access back, including such noted counter-espionage agencies as Bankstown City Council, and that stalwart in the fight against online child exploitation, Victoria's Taxi Services Commission.

Things seemed to be unfolding just as many observers feared.

Despite the Brandisurances that data retention was all about protecting us from the worst of the worst -- what Privacy International's Carly Nyst would call the Nazi pedo justification -- once the news cycle had moved on, government agencies would be quietly added back in. We'd be back to where we started, just with less privacy and fewer human rights.

Despite the rhetoric, data retention would end up being about making sure our recycling bins were lined up handle to the kerb -- or the other way around, I forget -- and the pursuit and promotion of major and enduring improvements in the provision and accessibility of services in the commercial passenger vehicle industry in Victoria.

But no.

On Tuesday, Crikey brought the news that AGD rejected Australia Post's application for warrantless access to our telecommunications data.

"Crikey has confirmed that Australia Post applied after the legislation came into effect in October but was rejected. Australia Post wanted to track stolen mobile phones from the company's retail stores by tracking their location using information stored by the carriers themselves as part of the mandatory data retention scheme," Crikey wrote.


Because, dear Australia Post, we already have people tasked to investigate the crime known as theft. They're called "the police". And if our hard-working men and women in blue haven't prioritised tracking down a few hot low-end ZTEs over their aforementioned investigations into terrorism, espionage, organised crime and so on, that doesn't mean you get to go all cyber-Clouseau.

AGD's decision is a pleasing sign that Brandis' rhetoric may actually mean something -- that the Attorney-General does indeed believe in our right to privacy, and won't just roll over for some legislative tummy-tickling at the first sign of a uniform, or the heady whiff of authority.

But what is the standard for access to telco data? What should it be? There's a pretty big grey area between "terrorism yes" and "stolen phone no".

The answer will lie in how AGD deals with the other 60 agencies on the list. Finding out what that answer is shouldn't be down to a handful of journalists and well-motivated citizens winkling it out of public servants through persistent freedom of information (FoI) requests. Something about democracy and transparency, yeah?

As Fairfax Media calculated last year, around 2,500 officials can grant warrantless access to telco data. How do we ensure they apply the standard for access consistently? How do we ensure that if and when any of the 60-odd agencies are added back into the mix that they also understand the balance between our right to privacy and the "needs" of law enforcement?

Police officers get at least some training and plenty of hands-on experience in these matters. The brave warriors of Bankstown City Council or Harness Racing New South Wales, maybe not so much.

Perhaps we need an independent agency to maintain the standard of access. After all, we don't want senior police refusing telco data access for a certain level of crime, only to have their equivalent numbers at the WA Department of Fisheries handing it out like so much candy.

I agree with law enforcement agencies when they say the day-long process of getting a warrant for every access to data would be impractical. I've said before that some simpler process is needed -- less than a warrant, but more than just an internal sign-off by your boss. Such an agency could perform that function too, establishing a consistent body of case law.

Now there's a line in Brandis' statement from last March which needs correcting.

"This [the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014] represents the fourth tranche of national security legislation the Abbott Government has successfully implemented since October 2014," he said.

No, Minister. The legislation was merely passed by parliament. The mechanisms are still being implemented, and that'll take years. Don't congratulate yourself so soon.

"Through these laws, the government has addressed pressing gaps and needs in Australia's national security and law enforcement framework," Brandis said.

Indeed. And now Australia has moved on from Tony Abbott's forever war, and we're building for a more confident future. Now is the time to cut back on the haste, and do something more important than patching the "pressing gaps". It's time for structuring laws on considered principles, and founding institutions for the nation's future.

As just one example, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) review of mandatory data retention recommended that mandatory data breach notification laws be put in place before data retention commenced. That wasn't done. Draft laws were only released in December.

On Tuesday, the Guardian reported news of seven serious data breaches by the Australian Federal Police, including one case where they accidentally gave an assault victim's details to their alleged attacker.

Imagine the possibilities for even worse mistakes with the greater volumes of personal information that data retention entails.

The question I want to leave you with it this: Does Brandis want to be remembered for his leather-bound trappings of government and a series of press releases announcing a scattergun of patches, or for something of lasting, consistent value? We'll soon see.

Editorial standards