Revisiting metadata retention in light of the government’s push for new powers
- Written by: Rick Sarre, Adjunct Professor of Law and Criminal Justice, University of South Australia
The Minister for Law Enforcement and Cybersecurity, Angus Taylor, foreshadowed this week that the Turnbull government will continue to pursue new law-enforcement powers that would allow authorities access to encrypted digital data in the fight against terrorism, organised crime and online crime, such as cyber fraud and child exploitation.
To assess the worthiness of this pursuit, it is useful to review the developments in the past six years regarding the government-mandated collection and storage of mass electronic data, referred to as “metadata”.
Read more: Police want to read encrypted messages, but they already have significant power to access our data
Mass metadata collection
Metadata does not contain content. It is simply information about the digital links involved in communications, the location of the caller and receiver, the date and time of the calls, and the length of the conversation. It includes data pertaining to short messaging service (SMS) text messages, and the Internet Protocol (IP) addresses of users’ devices.
Twenty-one law enforcement agencies have been granted access to track and retain metadata. Given the ubiquity of smartphones and other portable devices, these agencies can find an enormously rich trail of information regarding users’ locations, calls and networks.
Metadata retention emerged as a potential strategy with the release in 2013 of the report of the Joint Committee on Intelligence and Security. The Committee noted that such a scheme would be of “significant utility” to national security agencies.
The government responded in due course. In October 2015 new laws came into force requiring telecommunications service providers to retain and store their metadata for two years so that it remained available for analysis.
The prime minister at the time, Tony Abbott, explained the decision thus:
To help combat terrorism at home and deter Australians from committing terrorist acts abroad, we need to ensure our security agencies are resourced properly and have the powers to respond to evolving threats and technological change.
The government sought to allay any concerns about executive “overreach” by giving a role to the Commonwealth Ombudsman to assess an agency’s compliance with its legislative mandate.
Concerns at the time
There were several other concerns raised at the time of the passage of the legislation. The key one was that it had the potential to erode the very democratic freedoms that governments are duty bound to protect, such as freedom of political association. It was pointed out that democracies such as France, Germany and Israel had not legislated for mass metadata collection.
Moreover, in addition to general privacy unease, there was a concern that there was no guarantee that our allies – when analysing Australian metadata – would preserve the privacy safeguards set out under Australian law.
Read more: Metadata and the law: what your smartphone really says about you
Hackles were again raised when, in April 2017, an Australian Federal Police operative sought and acquired the call records of an Australian journalist without a warrant.
The AFP Commissioner, Andrew Colvin, quickly acted to alert the media and to offer the opinion that there was no ill will or bad intent. While this assurance was comforting, the ease with which the access was obtained was, for observers, a problem.
It wasn’t future-proof
But the key fear was that the strategy, for its enormous cost — A$740 million over ten years — was not future-proof. Technologies that can hide from metadata collection are readily available and widely used.
Any encrypted messaging app — such as Wickr, Phantom Secure, Blackberry, WhatsApp, Tango, Threema and Viber — can circumvent data retention. Moreover, any secure drop system based on Tor is capable of evading metadata scrutiny too.
So that’s where Angus Taylor’s concerns are coming from.
He wants to find a way of compelling the telecommunications companies (telcos) to hand over encrypted data when his agencies suspect that communications are occurring in the pursuit of nefarious purposes.
Will this be through some form of commercial arrangement? Will it be via a threat to block services of non-compliant telcos? Will it involve embedding surveillance codes in devices? Will warrants be required in all cases? How much will it cost?
We won’t know until the legislation comes before the parliament. What we do know is that the process will not be easy.
Read more: Police want to read encrypted messages, but they already have significant power to access our data
We don’t know if these powers are effective
It is worth remembering that governments must ensure that no policy sacrifices our hard-fought liberties in the pursuit of an expensive goal that is not readily attainable.
Indeed, we don’t even know whether the current metadata laws are having the desired effect. Anecdotal evidence emerges from time to time from law enforcement agencies that they have disrupted serious threats, but there has been no actual evidence that the disruption was caused or aided by access to metadata because of the secrecy that shrouds issues of national security. It boils down to a case of “trust us”.
So it is virtually impossible for the public to assess whether the digital data collection by security agencies has been effective or necessary, or even what that collection actually involves. We can only hope that the debate over accessing and analysing encrypted services is a little more enlightening.
Authors: Rick Sarre, Adjunct Professor of Law and Criminal Justice, University of South Australia
Daily Bulletin
