Australia's data-retention plans look increasingly out of touch

The tide is turning against mass digital surveillance, both politically and commercially, but is Attorney-General Brandis capable of even noticing, let alone changing, course?
Written by Stilgherrian , Contributor

When Australia's favourite Attorney-General Senator George Brandis QC took office, he said that national security would be his focus. True to his word -- at least in this matter -- his three "tranches" of national security legislation have culminated in one of the most comprehensive proposals for mass surveillance of ordinary citizens ever seen.

Mandatory data retention is the way that Western nations are going, Brandis said, committing a logical fallacy. Even if "Western nations" are indeed going that way, that's not in itself a rational justification for us following them. But the statement wasn't even true -- and it's becoming less true as time goes on.

I've previously written how some European countries have been dismantling data-retention systems after the European Court of Justice ruled such systems to be a violation of human rights. I've also written about Brandis' used-car salesmanship with Australia's data-retention legislation. But it's worth revisiting his going-that-way claim to see just how wrong it is.

Communications lawyer Leanne O'Donnell, whose day job is with iiNet, has compiled an update on how the West is backing away from data retention. It compares Australia's plan for a two-year retention period, and for access to be available to law-enforcement and intelligence agencies without judicial oversight, to the schemes in 29 other countries.

Only one country, Poland, has a system matching both characteristics of Australia's proposal. Most countries retain data for a year or less. Most countries require access to be authorised by a judge, magistrate, or prosecutor -- that is, with something equivalent to a warrant.

More importantly, eight of those 29 countries have separately ruled mandatory data retention to be unconstitutional, and in a further 10, it's under review or being challenged.

To say that the West is going the way of data retention is a serious misrepresentation.

Missing from O'Donnell's list is the United States. There, the Bill to pass what was called the USA Freedom Act would have shut down bulk data-collection programs. It was supported by Apple, Dropbox, Microsoft, Facebook, and other major Silicon Valley technology companies. It was defeated in the Senate last Tuesday night.

But that's not where it ends.

Silicon Valley has been hurt by Edward Snowden's revelations, especially companies whose strategies are all about personal and commercial data and the cloud. They need to reassure their international customers that using US-owned cloud companies won't automatically make their data subject to US surveillance -- and that's becoming ever more important as they focus on their next potential growth markets in the so-called BRICS countries of Brazil, Russia, India, China, and South Africa.

Silicon Valley will therefore continue to lobby the US government to rein in the NSA and its Five Eyes partners, lest their profits suffer.

There will also be further pressure internationally.

Last month, a report by the United Nations Special Rapporteur on the protection and promotion of human rights while countering terrorism -- catchy title, that -- concluded that mandatory data retention "amounts to a systematic interference with the right to respect for the privacy of communications", and therefore "it is incompatible with existing concepts of privacy for states to collect all communications or metadata all the time indiscriminately".

There will also be further pressure from individuals.

Earlier this month, the Pew Research Centre published its study Public Perceptions of Privacy and Security in the Post-Snowden Era, part of its long-term research on how the internet is changing American society.

"Perhaps most striking is Americans' lack of confidence that they have control over their personal information. That pervasive concern applies to everyday communications channels and to the collectors of their information -- both in the government and in corporations," Pew wrote.

Around 91 percent of adults in the survey agreed or strongly agreed that consumers have lost control over how personal information is collected and used by companies; 80 percent "agree" or "strongly agree" that Americans should be concerned about the government's monitoring of phone calls and internet communications, while just 18 percent "disagree" or "strongly disagree" with that notion; and only 36 percent "agree" or "strongly agree" with the statement, "It is a good thing for society if people believe that someone is keeping an eye on the things that they do online."

Clearly, companies that move to be the protectors of privacy will be the winners here. Those that strip-mine their personal data will soon be seen as the bad guys -- and the same would presumably go for governments.

In the UK, for example, research by Crtl-Shift showed how a new category, Personal Information Management Services (PIMS), could be worth £16.5 billion to the UK economy annually. That's about 1.2 percent of the GDP, comparing very favourably with the automotive industry's 0.7 percent, or the pharmaceutical industry's 0.97 percent.

In this context, it's interesting that WhatsApp has recently introduced end-to-end encryption for text messages in its Android app, with other platforms and communications types to follow. As an interview with Wired UK in February showed, this has been WhatsApp's plan all along.

"We want to know as little about our users as possible. We don't know your name, your gender... We designed our system to be as anonymous as possible. We're not advertisement driven, so we don't need personal databases," said WhatsApp co-founder Jan Koum.

Koum grew up in communist Ukraine, and like the information security professional I speak with from central and eastern Europe, he knows full well why you minimise the collection of personal data.

"I grew up in a society where everything you did was eavesdropped on, recorded, snitched on," Koum said. "I had friends when we were kids getting into trouble for telling anecdotes about communist leaders. I remember hearing stories from my parents of dissidents like Andrei Sakharov, sentenced to exile because of his political views, like Solzhenitsyn, even local dissidents who got fed up with the constant bullshit. Nobody should have the right to eavesdrop, or you become a totalitarian state -- the kind of state I escaped as a kid to come to this country, where you have democracy and freedom of speech. Our goal is to protect it. We have encryption between our client and our server. We don't save any messages on our servers, we don't store your chat history. They're all on your phone."

Quietly, yet with hundreds of millions of customers, WhatsApp has just created the largest end-to-end encrypted communications system on the planet -- and it's already processing more text messages per day than the traditional telcos' SMS systems.

Against this background, you'd have to wonder why Australia, and its attorney-general in particular, is pushing so hard for such comprehensive surveillance.

The most charitable explanation would be that the attorney-general's understanding of the issue is years behind the pace, and that he doesn't actually know what he's doing -- that he's merely a Cold War-era relic with a fancy bookshelf.

Another explanation is that the knows full well what he's doing.

Which explanation is more worrying?

Editorial standards