On metadata legislation and used-car salesmanship

Australia's proposed data-retention laws still leave too many questions unanswered. Turnbull and Brandis must fill in the blanks.
Written by Stilgherrian , Contributor

Forget the sales pitch; always read the contract before signing. What's sensible in a business context is doubly so when it comes to voting draft legislation into law — say, for example, Australia's proposed new data-retention laws, the third of three "tranches" of national security legislation to be introduced this year.

The transcript of Thursday's press conference is certainly useful, because you can see how the players want to play it — Communications Minister Malcolm Turnbull; Australia's favourite Attorney-General Senator George Brandis QC; and the heads of the Australian Security Intelligence Organisation (ASIO) and the Australian Federal Police. The Bill's explanatory memorandum is also useful, to a point, because it indicates which bits of the legislation supposedly implement the government's intentions.

However, the explanatory memorandum, like the press conference, is merely part of the sales pitch.

For the truth, you need to go directly to the source — in this case, the 51-page document that is the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014.

It's not an easy read, because you have to understand what it says in the context of the Telecommunications (Interception and Access) Act 1979 (the "TIA Act"), and, in turn, the Telecommunications Act 1997. But the truth is never easy.

According to Turnbull, the list of agencies that will have access to telecommunications metadata will be limited to "what you might describe as traditional law-enforcement agencies, police, Crime Commission, ASIO, Customs, and so forth". Given the widespread feeling that the existing TIA Act gives warrantless access to metadata to far too many agencies, this is a good thing.

But beware the weasel words: "and so forth".

The Bill does indeed reduce access from any "enforcement agency" to a list, in Section 110A(1), of bodies described as "criminal law-enforcement agency" — but there's a gotcha. Section 110A(3) would give the attorney-general the power to declare other government authorities or bodies to be a criminal law-enforcement agency too, adding to the list.

Similarly, the list of communications for which data must be retained is defined, in Section 187A(3), as those "(i) operated by a carrier; or (ii) operated by an internet service provider (within the meaning of Schedule 5 to the Broadcasting Services Act 1992); or (iii) of a kind prescribed by the regulations".

What data must be retained? Section 187A(1)(a) says, "information of a kind prescribed by the regulations".

Section 187A(2) says that any information so prescribed must fit into certain categories that are, essentially, the things you might expect: The date, time, and duration of a communication, the source address, which customer owns that account, and so on. It also explicitly excludes, in Section 187A(4), "information that is the contents or substance of a communication", and "an address to which a communication was sent on the internet".

The intention is that this "puts beyond doubt that service providers are not required to keep information about telecommunications content" or "keep information about subscribers' web browsing history".

But saying that ISPs are "not required to retain" that data is not the same as prohibiting them from retaining it for other purposes. And once the data is retained, there's nothing in the Bill that would seem to prevent a criminal law-enforcement agency from simply issuing a subpoena to gain access — although, as I said, the Bill is not an easy read.

So, in summary, the specifics of exactly what communications the data-retention regime applies to, what data is to be retained, and which agencies may access it are all weaselled out. The details will come in the regulations, or in regulation-like declarations by the attorney-general.

And where are those regulations? Nowhere to be seen. Draft regulations have not been provided, even though we know the Attorney-General's Department has been working on data-retention concepts since at least 2008.

The data-retention Bill is also being sold as "urgent" and "critical", and yet ISPs would be given almost two years to become compliant. Somehow, those two facts don't seem to fit. The rhetoric is, as always, about rooting out terrorists and child abusers — what Privacy International's Carly Nyst called the "Nazi Pedos" shtick — although there's nothing in the legislation to limit data retention to such extreme cases.

The whole thing feels rushed. Whether that's down to a deliberate attempt to avoid scrutiny, or simple incompetence — it's becoming harder to tell with this government — either way, it's not good.

Since the 9/11 attacks in 2001, the Australian parliament has passed more than 60 pieces of legislation granting more powers to law-enforcement and intelligence agencies, none reducing them. Powers only seem to be cut back during once-every-generation investigations, such as the Royal Commission on Intelligence and Security, the so-called "Hope Royal Commission", which was conducted 1974-77. Or, for that matter, in the wake of whistleblowers like Edward Snowden.

Earlier this week, opposition leader Bill Shorten had second thoughts about the first tranche of national security legislation, and requested a review — after he and his Labor party had already voted for the legislation and it had become law. After it had been foreshadowed for months, gone through all three "readings", as they're called, in both the House of Representatives and the Senate, and been reviewed by committee.

Imagine how much scrutiny regulations and ministerial declarations are going to receive, when they're simply tabled and parliament is given a brief opportunity to veto them.

These regulations to an amended TIA Act aren't about some transient matter, like how many live sheep can be exported to Indonesia next year. They're about the fundamentals of the ever-changing power relationships between the government and the governed, something that'll affect us for decades to come.

Perhaps Turnbull and Brandis are merely benign, but what about the next government? Or the one after that? Or the one after that?

If you were buying a used car, you wouldn't sign the contract if key clauses were missing — or, rather, key parts of the car. You wouldn't trust some hand-waving salesperson, with their reassuring "and so forth", to supply them later. So why would you do the same with Australia's national security legislation?

Editorial standards