Note to data-retention law makers: The internet is not a telephone

Australia is developing its mandatory data-retention legislation with a flawed process that will inevitably produce bad laws. Start again.
Written by Stilgherrian , Contributor

Wednesday's public hearing by the Joint Parliamentary Committee on Intelligence and Security (JPCIS) highlighted serious problems with the Australian government's proposed laws for setting up a mandatory data-retention scheme -- problems that should have been fixed long before things reached the committee stage.

I'm not talking about the problems we've discussed before. Problems like key definitions still missing, meaning that the law is "little more than a shell for such a scheme", as the Gilbert + Tobin Centre of Public Law at the University of New South Wales wrote in its submission (PDF). Or problems like the proposed two-year retention period being longer than almost anywhere else in the world.

Kerri Hartland, deputy director-general of the Australian Security and Intelligence Organisation (ASIO), actually addressed that last issue, telling the committee that around 10 percent of ASIO's requests for communications data are for periods of 12 months or more, and sometimes up to two years and beyond.

"Those cases relate to -- 10 percent may seem [like a] small number -- our most serious and complex cases. Typically, these relate to activities of hostile foreign nationals or nations engaged in spying and influence operations against Australia. It absolutely needs to be two years from our perspective," she said, indicating that ASIO's confidential submission had more detail.

Alas, without that confidential submission in front of us, who can say?

No, I'm talking about the fact that almost everyone involved still seems to think that the internet is a telephone.

Actually, that's unfair. But the entire process for developing the data-retention laws is built around taking the existing law, the Telecommunications (Interception and Access) Act 1979 (the "TIA Act") and its parent, the Telecommunications Act 1997, and making minimal changes to incorporate the internet.

As a result, the discussion always comes back to telephone analogies. Such analogies will inevitably fail to capture the nuances. Such discussions will inevitably fail to consider the aspects of the internet that are radically different from the telephone, and might therefore require radical changes to the law. They fail to consider whether something that was reasonable with a telephone becomes unreasonable in an internet context, and vice versa.

It's a bit like taking the law relating to horse-drawn stage coaches and trying to update it for the age of internal combustion engines. How fast and for how long can these new vehicles be driven between rest stops, say, to prevent cruelty to buses? Like, what?

It's this sort of thinking that took us down the rabbit hole of arguing about what is and isn't metadata. As I've written previously, this idea that there are two categories of data -- "content" that requires a warrant before police and spooks can access it, and "metadata" that can be accessed without a warrant -- is an accident of technological history. That was how the analog telephone system worked, but the internet is not a telephone.

Australia's favourite Attorney-General Senator George Brandis QC has told us repeatedly that he favours a minimalist approach to implementing new national security legislation. He seems to believe that means changing as few words of the law as possible.

But that strikes me as hopelessly naive, especially when the structure of the internet is so radically different, both technologically and in terms of how it intertwines with our private lives. And it's hopelessly inefficient. You don't build a jet airliner by starting with a steamship and tinkering with it until you get it right.

No, the government needs to start again. We need to rewrite the TIA Act from scratch. We need a top-down approach, based on a fresh statement of principles about our rights and freedoms, and about the powers we do and don't wish to give to our law-enforcement and intelligence agencies. We need to define the circumstances under which they're allowed to discover our identity, or our location now, or records of our location in the past, or access our financial records.

That way, we won't end up arguing whether some specific piece of data is called "content" or "metadata". Instead, it'll be the more obvious matter of whether it fits into the allowed circumstances.

We also need to consider a point raised by John Stanton, chief executive officer of the Communications Alliance.

"We have perhaps at times grown a little weary of hearing this proposal described as a requirement to do no more than service providers do today. It is in most cases far from that. It is a data creation regime as well as a data-retention regime, for all of those providers who do not presently retain everything in the data set," Stanton told the committee.

It's one thing to give police and spooks access to personal data that an organisation already collects. It's quite another to require organisations to create whole new data sets for which they have no business use whatsoever -- essentially turning them into branch surveillance agencies.

We also need to remember that everyone's understanding of the impact of technology changes every year -- even for those who are most familiar with it. We therefore need a legislated requirement for the law to be reviewed every few years -- not just a superficial look-see, but a detailed examination of whether the laws can still be justified in the face of technological changes.

We'll also need to hear how the police's and spooks' jobs have been made easier by technology, not just how it's made things easier for the bad guys. So far, we're only hearing one side of the story.

And while we're at it, let's send all the PJCIS members off to an intensive five-day training course covering internet architecture, and communications and human rights law -- because the PJCIS needs to understand the internet on its own terms.

All of this would also help the government show that it's taking a strategic long-term approach to the vital issue of national security, perhaps killing off the perception that it's always creating half-baked legislation in response to a few narrow interest groups and the spin of the daily news cyc...

Oh, who am I kidding? This will never happen.

Editorial standards