Be Careful What You Click For...
By Bernard LaganSeptember 13, 2012
Oh, no spies would ever read all the intimate details of your life as it passes through the internet — bank details, health news, love letters. The government just wants to hold onto that stuff for you. To keep it nice and safe.
The average Australian Internet user downloads 8.4 gigabytes of data a month from the bottomless online world. It's the equivalent of about 1,800 books. While we'd know if we amassed such a library, bits, nibbles (four bits), and bytes (eight bits) are, for many of us, opaque measures. So we browse through our 53 billion-plus bits a month, discarding much of it, untroubled by the volumes we're reading, listening and watching.
And if the figure seems vast, consider this: our consumption of online text, images, video and sound grew by 56 per cent in the last three months of 2011, compared to the same period in 2010. And this occurred with little of the National Broadband Network — the super high-speed Internet tunnel that will be eventually be accessible to most Australian homes.
Just quietly, our police, spies and defence organisations are spooked by the implications of this scenario. The Internet has brought about a revolution in the way people communicate with each other, through social media and Internet phone platforms such as Skype. And Australians, like most people in the wired world, can now rapidly access information that defies state control for content and quantity.
The blowback from the Australian intelligence and law enforcement agencies came a few weeks ago when the federal Attorney General, Nicola Roxon, released what was called a discussion paper — in effect a log of claims by the nation's intelligence agencies and the federal police — that proposes ramping up the degree of surveillance they cast over the everyday communication of citizens, especially their online activities.
Of course, the array of state-based law enforcement and anti-corruption bodies doesn't want to be left less empowered than its federal counterparts when it comes to surveillance activities. So, since the discussion paper was released, police forces across the country, from Tasmania to the Northern Territory, have scrambled to lodge their own claims for increased powers. These claims can be found among the 170 or so submissions to federal parliament's Joint Committee on Intelligence and Security, which is now holding an inquiry into the increased surveillance proposals.
We'll come later to those submissions — many of which are vehemently opposed to what the intelligence agencies and police want. But first let's examine the most startling of the new powers being sought by the federal police and spy agencies:
They want to force Internet service providers — the likes of Telstra and Optus — to record and store, for up to two years, the details of emails that people send and receive. That is, the websites they visit, and when and with whom they have communicated over the Internet.
It's known as data retention, and it's the new holy grail for spy and law enforcement agencies, which are massively frustrated that their existing arsenal of authorised surveillance — such as phone taps, listening devices, and limited access to our computers — has not kept pace with the explosive growth in our Internet usage.
Already, the savviest Internet users in Australia are plotting to get ahead of the looming surveillance regime. The Freedom Not Fear campaign, launched in Europe in 2007 to counter data-retention proposals, has spread to Australia. Meanwhile, gatherings known as Crypto Parties, which teach Internet users how to avoid surveillance, are advertised on social media, with dates scheduled in Sydney, Melbourne, Canberra and Brisbane.
In broad terms, mandatory data-retention schemes require Internet service Providers (ISPs) and telecommunications companies to collect and store details of each IP address (an Internet subscriber's unique identifying code) you access for up to two years. That's a record of every step you take, every click you make online.
The government's discussion paper is, however, extremely light on the details of how intrusive the Australian data-retention scheme might be. We know that the history of our Internet use gathered under the scheme will have to be stored by the ISP or telco for the two-year period and made available to a law enforcement agency if it makes a lawful request.
Indeed, given that that the government's 60-page discussion paper devotes one sole paragraph to the data-retention scheme, it is hard to dismiss the suspicions raised in some submissions to the Joint Committee on Intelligence and Security that the spy and police agencies would prefer minimal public debate on their plans.
We can assume, however, that it would most certainly include basic details of individual email traffic, such as the dates and identities of senders and receivers — but not, for now at least, the content of emails. Also included would be details of voice-over-Internet communications (such as Skype). Of all the submissions opposed to the government's proposals, that of Electronic Frontiers Australia — a national organisation which represents Internet users concerned with online freedoms — appears the best informed on the data-retention plan.
Electronic Frontiers describes data retention as an unprecedented threat to the right to privacy of all Australians, noting that Internet communications with colleagues, friends and loved ones are the most sensitive information people will generate in their lives. The EFA submission adds: "Even were it to be specified that the actual content of communications is not retained, information such as addresses of websites visited, email addresses and phone numbers to which messages are sent or received from, details of phone calls sent and received, and other online communications activities, along with associated dates, times and locations does amount, in many cases to content and is highly personal data."
The organisation argues that while much of an individual's retained Internet data might appear harmless in isolation — in aggregate the data will reveal highly intimate details of a person's life, including religious and political affiliations, sexual preference and health issues. To demonstrate how data can be aggregated to build a profile of an individual, Electronic Frontiers cites the recent controversial data-mining carried out by the Target chain of department stores in the United States. Target analysed the shopping histories of its customers to identify women likely to be pregnant or become pregnant in the very near future to whom it then sent special offers to purchase baby products. Closer to home, in June, Telstra apologised for harvesting the URLs (the global addresses of documents on the web) visited by some mobile customers and sending them to a foreign company.
While the government's discussion paper offers just the barest outline of the data-retention proposals, the Australian Federal Police (AFP), in their submission to the parliamentary inquiry, have since laid out a justification which opens with the line that they have been protecting Australians and their interests for over 30 years.
The AFP's submission implies that the national data-retention scheme would harvest and store for up to two years the "non-content" data of Australians' Internet activities. So while the content of emails, for instance, may well be excluded, details of senders and receivers, dates and possibly subject headings would be retained.
The AFP's submission then continues, with details that seem to confirm the fears expressed by Electronic Frontiers about what can be learned about an individual when such data is aggregated. The AFP says of this data: "It can provide important leads for agencies, including evidence of connections and relationships within larger associations over time, evidence of targets' movements and habits, a snapshot of events immediately before and after a crime, evidence to exclude people from suspicion, and evidence needed to obtain warrants for the more intrusive investigative techniques such as interception or access to content."
In the few weeks since their announcement, the data-retention proposals have deeply divided those Australians who have contributed to the inquiry. On one side, the Institute of Public Affairs describes data retention as a continuous, rolling systemic invasion of the privacy of every single Australian; while the AFP counters that the adoption of the scheme would not give intelligence and crime agencies any new powers. Because, says the AFP, data retention is simply making up for what law enforcement agencies are losing: access to the billing records of telephone service providers, which show who called whom and when. As more telephone services move to Internet-based systems, traditional telephone service providers will have less and less billing information which they can provide to police and intelligence agencies.
Aside from the fact that so much potentially revealing information will be harvested and stored for every Internet user, the new proposals raise two other important issues.
How can the government ensure that this stored data will be protected from abuse and leaks? And who is going to pay the costs of collecting such a mass of data and storing it for up to two years?
A large-scale database containing details of the Internet activities of Australians online (late last year there were 11.6 million Internet subscribers in Australia) will be a huge resource for law enforcement and intelligence agencies. Of course they'll have to apply to access the information for individuals and show its relevance to particular cases of criminal investigation.
But how will we guard against the temptation to expand the use of the data beyond the specific investigations for which it was originally accessed? Are we assuming that won't happen? Don't be too certain; in his particularly revealing submission to the inquiry, the NSW ombudsman, Bruce Barbour, who is charged with ensuring that NSW Police comply with current telecommunications interception laws, reveals that police now want to start using the "byproduct" of interceptions to build up their general intelligence activities.
As for the costs of storing this volume of data, they are likely to be foisted, for the most part, onto Internet service providers — such as Telstra and Optus. And inevitably these costs will be passed on to their customers. According to the UK Internet Service Providers' Association, the bill for the data-retention scheme in Britain has been assessed at AUD40million for set-up, with annual running costs of AUD14 million.
Meanwhile, European data-retention schemes have already run foul of courts in Germany, the Czech Republic, Cyprus, Bulgaria and Romania. When Germany's Federal Constitutional Court threw out that country's data-retention laws in early 2010, it gave a judicially eloquent renouncement of data retention:
"Depending on the use of the telecommunication, such storage can make it possible to create meaningful personality profiles of virtually all citizens and track their movements. It also increases the risk of citizens to be exposed to further investigations without themselves having given occasion for this. In addition, the possibilities of abuse that are associated with such a collection of data aggravate its burdensome effect. In particular since the storage and use of data are not noticed, the storage of telecommunications traffic data without occasion is capable of creating a diffusely threatening feeling of being watched which can impair a free exercise of fundamental rights in many areas."
Britain is in the throes of its own parliamentary inquiry into a data-retention scheme, and two of that country's Internet titans, the man credited with having invented the web, Sir Tim Berners-Lee, and the founder of Wikipedia, Jimmy Wales, have come out decrying the proposal. Jimmy Wales, in particular, believes data retention is unworkable. Wales has said that Wikipedia could easily thwart attempts to track what his site's users are reading by using encryption. One digital expert witness, Professor Peter Sommer, doubtless sent Britain's police and intelligence services into a spin when he publicly laid out to the British inquiry how Internet users could reduce or avoid surveillance by buying a data SIM card, by using only Internet cafes for communications and web browsing, or through members of a conspiracy using a shared email account in which emails to each other are saved as drafts and never sent.
Presumably, the wave of Crypto Parties in Australian state capitals will be exploring other ways to thwart the watchers.
The Australian inquiry into the proposals for increased surveillance — being conducted by the Joint Parliamentary Committee on Intelligence and Security — will resume public hearings in Canberra on Friday. The inquiry is set to report to the government on the merits of data-retention by year's end.