What a croc: NT Police data retention proposal 'overreach'

Retaining a record of every website a customer visits and all other metadata is incompatible with the new Privacy Act, according to iiNet.
Written by Josh Taylor, Contributor

Northern Territory Police's call for ISPs to be forced to retain their customers' web browsing history for two years has been labelled as a massive overreach by Australia's third-largest ISP, iiNet.

Earlier this week, ZDNet reported that the NT Police had called for web browsing history to be retained in a submission to a parliamentary committee's review of the Telecommunications (Interception and Access) Act.

"The NT Police are supportive of a data retention regime of two years. Such a regime would assist law enforcement agencies in investigating serious crimes. The NT Police are not in favour of excluding browser history," the NT Police said.

Under current laws, only the so-called metadata, such as call time, location, number, and billing information, can be obtained by police without a warrant, but the NT Police said that web browsing history needs to be included in any revision of the Act.

"This is inconsistent with the spirit of a revised Act being technology neutral. With the shift from traditional telephony services to IP-based services communications taking place on Facebook, Twitter, Google Plus, and other IP platforms, this data may be included in browser history, and is important to capture as telephone records for law enforcement purposes."

The call is in contrast to that of the NT Police's federal counterpart, which specifically said that it was not seeking web browsing history.

Even if the government were to consider asking ISPs to retain customer web browsing history, it is unclear that such a proposal would be easy for the ISPs to comply with.

iiNet's head of regulatory and government affairs Steve Dalby told ZDNet that iiNet doesn't retain browsing history, and never has.

"I doubt anybody does. It's not needed for us to carry out our business, and even if we did, the new privacy legislation makes it very clear that we must not retain stuff if we don't need it," he said.

Under Australian Privacy Principle 11, which came into effect this week as part of changes to the Privacy Act, a business must not retain information for any longer than it needs the information, and must destroy or de-identify the information. Dalby said that retaining all customer web-browsing history would potentially breach that principle.

"It's hard to imagine that 'We might need some of it, one day' is justification for overriding that obligation," he said.

"It looks like a major over-reach to propose such massive data collection and retention."

As more and more devices such as tablets, cars, cameras, and Wi-Fi hotspots are now connected to the internet — as well as the growing number of people under 18 with smartphones, Dalby said that it also raised questions about what data should be retained from those devices. He said that the NT Police's proposal "beggars belief", considering the amount of data ISPs are required to retain.

"It just beggars belief that these comments are have been made by someone that has actually considered the numbers and the technical difficulty of collecting, storing, and retrieving such massive amounts of data," he said.

He said that iiNet could not be supportive of such a proposal. iiNet has previously spoken out against the data retention proposal, and has suggested that taking into account the 1 million URLs iiNet customers visit every second, the storage costs would mean that the company would need to charge customers an extra AU$5 per month each to pay for it.

In its submission to the inquiry, digital rights group Electronic Frontiers Australia said that digital communications has resulted in eroding the line between the so-called metadata of communications and the content of communications.

"When using a web-based service, the URLs of web requests would constitute metadata. A list of URLs accessed would effectively constitute a detailed account of user interaction. Rather than telling us that the user visited a library, metadata would provide a list of which pages of individual books were read," EFA said.

"This potentially detailed information should require more oversight than metadata of phone and mail services that provides only 'envelope' information. In addition, significant personal information may sometimes be encoded in URLs. For example, this might include account information of financial or other personal services and other very specific private information that accompanies 'content' information."

The organisation said that online, metadata can arguably give you a much greater insight into the person than traditional telecommunications metadata, highlighting a 2009 study of 4,000 Facebook profiles that was able to determine the sexuality of individual users by analysing the friends lists of self-identified gay men.

"The content of our posts become irrelevant; our metadata defines us," the EFA said.

The group called for software, data streams, digital images, and audio, and all other digital traffic via web browser or internet connection to be excluded from the metadata access regime, and that access to that data be limited to the "bare minimum" of government agencies.

Editorial standards