Companies who provide customers with a connection to the internet may soon have to retain subscriber's private web browsing history for law enforcement to examine when requested, a move which has been widely criticised by industry insiders.
The Attorney-General's Department yesterday confirmed to ZDNet Australia that it had been in discussions with industry on implementing a data retention regime in Australia. Such a regime would require companies providing internet access to log and retain customer's private web browsing history for a certain period of time for law enforcement to access when needed, according to Australian internet service provider sources.
Currently, companies that provide customers with a connection to the internet don't retain or log subscriber's private web browsing history unless they are given an interception warrant by law enforcement, usually approved by a judge. It is only then that companies can legally begin tapping a customer's internet connection.
In March 2006, the European Union formally adopted its data retention directive (PDF), a directive which the Australian Government said it wished to use as an example if it implemented such a regime.
"The Attorney-General's Department has been looking at the European Directive on Data Retention, to consider whether such a regime is appropriate within Australia's law enforcement and security context," a statement from the Attorney-General's Department to ZDNet Australia said yesterday. "It has consulted broadly with the telecommunications industry."
The EU regime requires that the communications providers from certain EU member states retain necessary data as specified in the Directive for a period of between six and 24 months.
One internet service provider (ISP) source told ZDNet Australia that the Australian regime, if implemented, could go as far as recording each URL a customer visited and all emails.
That source said such a regime "would be scary and very expensive".
Another industry source said Australians should "be very f***ing afraid".
They said the regime being considered by the Australian Government could see data held for much longer than EU Directive time of 24 months — it would be more like five or ten years.
"They seem quite intent [on implementing the regime] and they keep throwing up the words 'terrorism' and 'paedophiles'," the source said. "We're talking browsing history and emails, way beyond what I would consider to be normal SMS, retaining full browsing history and everything."
The office of the Attorney General has since denied that the data retention regime would involve recording users' web browsing history.
Internet Industry Association (IIA) chief executive officer (CEO) Peter Coroneos also confirmed that the industry was having discussions with the Attorney-General's Department.
"There has been some preliminary discussions with the Attorney-General's Department about a proposal for a data retention regime in Australia, but I think those discussions are at a very early stage," Coroneos said. He said the IIA hadn't "seen any firm proposals yet from the government".
"It's more along the lines of [the Attorney-General's Department asking] 'What do you see the issues of being if we were to move to a position similar to the EU'," he said.
"But as I say, there wouldn't be any intention, I wouldn't think, to move to any policy position on this unless there was a full public debate about the proposal."
If the idea were to move to a more "serious proposal", Coroneos said the IIA's view would be "to engage not only with the industry but also the community in a proper discussion".
Electronic Frontier Australia (EFA) chair Colin Jacobs said the regime was "a step too far".
"At some point data retention laws can be reasonable, but highly-personal information such as browsing history is a step too far," Jacobs said. "You can't treat everybody like a criminal. That would be like tapping people's phones before they are suspected of doing any crime."
He added that browser history could reveal all sorts of personal information. "And furthermore, the way the internet works, it's a huge amount of data to be kept and it requires some snooping on the part of the ISPs into which [web] pages people are looking at."
In February, the senate passed a Bill allowing ISPs to intercept traffic as part of "network protection activities". According to an ISP source, it's likely another Bill would be required for a data retention regime to be implemented.
"It is likely that new legislation will be required to put any [data retention] obligations in place," the source said. "It seems to be early days yet, and we have an election looming, which means there will be some time required to get any new law in place."
Update at 1:00pm, 14 May 2010: Added "according to Australian internet service provider sources" to the second paragraph to clarify that Australian ISP sources claimed that this is what the Australian version of the Directive could look like. A link to a story with further comment from the Attorney General was also added.