In July this year, the AttorneyGeneral’s Department released a discussion paper to guide the Parliamentary Joint Committee on Intelligence and Security in its consideration of potential national security reforms. It was entitled ‘Equipping Australia Against Emerging and Evolving Threats.’
The discussion paper contains 45 separate proposals. 44 of those would limit individual freedoms and curb basic rights. Just one would protect those freedoms.
The most outrageous proposal is a government-mandated, indiscriminate data retention regime. The proposal is to force internet service providers to collect the online data of all Australians and store it for a period of two years.
Governments often tell us that these limits on freedom are the price we all must pay for the security that the state provides. And though there may be some truth to this, how much more freedom do we have to give up to be safe?
The range of policies that the government could implement in the name of ‘national security’ is virtually boundless. In a free society, however, there are limits to how much freedom citizens are prepared to give up in order to avoid social disorder and allow the police to enforce the law. In a free society, law enforcement agencies don’t get to make up whatever rules they like.
It is not enough for governments to simply tell us they need more power to fight crime. The explanation must be unambiguous. The onus of proof always rests with the state to justify increases in power because such increases will always result in decreased autonomy of those subject to the state’s power. And if the case is well made that the powers are required to keep us safe only then should they be granted.
Yet the Attorney-General’s Department’s discussion paper is far from clear on why new security powers are required. The only attempt made at explaining the need for greater security powers is a general reference to the threat of ‘cybercrime’ and the ability of security agencies to enforce the law in an age of ‘new technology’. It would be immensely kind to describe these justifications as ‘feeble’.
The risks of cybercrime are often overstated. This is not to trivialise the very real cases of criminal activity that occur online. But we should be sceptical of claims made by companies trying to sell security software and law enforcement agencies trying to increase their staff and budgets. The problem is not as great as they would have us believe.
Often cybercrime surveys with very small sample sizes are extrapolated to the population. This can give the impression that criminal activity is rife across the internet, but the vast majority of us know to ignore emails asking us to verify our bank account details in order to receive 1 billion Nigerian nairas.
The impression from reading the discussion paper is that Australia’s national security laws are at risk of becoming outdated. To the casual observer it would appear that the framework has not been updated in recent years as the internet and other technologies have become such an important part of our lives.
This is empirically false. The last decade has seen an unrelenting succession of changes made to Australia’s national security laws. And despite lip service paid to the idea of balancing individual freedom and collective security, the pendulum seems to continually swing away from liberty.
Many of the proposals in the discussion paper relate to interception powers of ASIO and other security agencies. But the Telecommunications (Interception and Access) Act 1979 has been amended on average twice a year since it first became law. The most recent changes were made in late August this year. This is not an area of legislative decay.
Given the lack of justification for increased security powers, some of the proposals are astonishingly audacious.
There are so many problems with the data retention proposal it is almost beyond belief that the suggestion was even included in what purported to be a serious discussion paper.
The rationale behind the proposal is that at some point in the future law enforcement agencies might want access to the data if a person is subject to a criminal investigation.
This extraordinary approach reverses the presumption of innocence. This basic legal right is a critical feature of our criminal justice system and a central tenet of the rule of law. It assists in ensuring the police are doing their job properly and is an important limit on state power.
There is no problem with a system of targeted search warrants. Obtaining a warrant should be subject to detailed tests and high thresholds. Once obtained, warrants allow the police to legitimately collect evidence, but only on people who are the subject of a criminal investigation.
Sometimes law enforcement agencies are concerned that data they wish to collect for an investigation will be deleted before a warrant can be obtained. It is appropriate in these cases that a data preservation order is issued in the interim to protect important evidence. What is completely inappropriate is mandatory data retention, which uses ISPs as proxies of the state for the indiscriminate collection of evidence on all citizens.
Data retention also fundamentally conflicts with the right to privacy. The proposal would be a rolling, systematic and excessive invasion of the privacy of all Australians. No one will ever be free from observation online if the policy is implemented.
The Romanian Constitutional Court made this point when it ruled that a data retention regime implemented in that country was in conflict with the Romanian constitutional right to privacy. The judgment stated ‘the regulation of a positive obligation that foresees the continuous limitation of the privacy right and the secrecy of correspondence makes the essence of the right disappear.’ The message is clear: blanket data retention extinguishes any right to online privacy.
In Romania, and across Europe, the decision to implement data retention regimes was made in accordance with the European Union Directive on Data Retention. And Romania is not alone in declaring the regime unconstitutional; Bulgaria, Germany, the Czech Republic and Cyprus have all had similar decisions handed down by their own constitutional courts.
The European experience is also informative for the results it has produced. In considering the efficacy of data retention, the research wing of the German Parliament conducted a study to assess the impact of the regime across the European Union. The study found that between 2005 and 2010, countries that had implemented data retention regimes did not achieve better crime clearance rates. Law enforcement agencies were no better off but the civil liberties of all citizens in those countries were severely impacted.
Supporters of the proposal have tried to argue that a data retention regime would simply be the online equivalent of the current telephone interception and access regime. This is untrue. Telecommunications companies retain call charge records for the purpose of billing their customers. When a warrant is issued they are obliged to hand over the relevant records to law enforcement agencies. ISPs are in a very different position. They don’t keep equivalent records for billing purposes so the government would be forcing ISPs to create them.
The issues with this are twofold. First, it has a significant financial impact. ISPs would need to build capacity to store all data for a period of two years. There are many small ISPs that simply couldn’t afford to bear the increased costs of running their business. This problem has been identified before in countries seeking to implement data retention.
In Finland and the UK the response was to exempt smaller operators from the obligation to retain data. But this policy response opens up a very obvious loophole in the system that criminals will inevitably exploit.
The second problem is that of data security. One of the government’s stated intentions is combating hacking and identity theft, but the unintended consequences of the policy will be more online criminal activity, not less. The stored data will create irresistible honey pots for the very criminals this proposal seeks to constrain. These information silos duplicate private and valuable information and would be an obvious target for the unscrupulous.
Australia has once debated whether to curb privacy and civil liberties in a similarly extraordinary way before. The IPA said then ‘A fundamental change is to be wrought in the relation of citizen to state.’
That was said in the debate around the Australia Card in 1986, and we now issue the same warning in the context of the proposed data retention regime. ASIO would have us believe these powers are a necessity, but it is the citizenry that gets to decide what liberties to sacrifice. There’s a name for nations that allow law enforcement agencies to write the rules: totalitarian.
The government, the Coalition and the Parliamentary Joint Committee on Intelligence and Security should reject the data retention regime, and the 43 other draconian proposals included in the discussion paper. After a decade of giving up our freedoms in the name of national security when will we say ‘enough’?