Original URL: https://www.theregister.com/2013/06/24/data_retention_a_iveryi_hot_potato_says_oz_parlt_commitee/

Data retention a very hot potato says Oz parl't commitee

Update: A-G shelves the idea, for now

By Richard Chirgwin

Posted in Legal, 24th June 2013 02:28 GMT

Data retention – something that governments around the world have scrambled to defend in the face of a daily diet of new revelations courtesy of whistleblower / leaker / traitor / hero Edward Snowden – doesn't have so many friends in the Australian Parliament.

Update: Since the report was released, federal Attorney General Mark Dreyfus has shelved data retention for now, in a statement saying "the Government will not pursue a mandatory data retention regime at this time and will await further advice from the departments and relevant agencies and comprehensive consultation."

In tabling its 321-page Report of the Inquiry into Potential Reforms of Australia's National Security Legislation, here, the Parliamentary Joint Committee on Intelligence and Security appears to be bucking a trend. In a world in which parliaments are being constantly urged by spooks and law enforcement towards greater intrusions in the name of national security, the PJCIS has made a raft of recommendations that would improve the transparency and accountability of access to telecommunication intercepts.

One of the most contentious aspects of the review, the Attorney-General's department's two-year-long barracking for a data retention regime, is treated as a serious issue rather than a lay-down misere for law enforcement. Noting that there was a “diversity of views” in the committee on the topic, the report also criticises the A-G's department for its reluctance to provide a detailed definition of what it actually wanted.

“One of the most controversial topics canvassed in the discussion paper —data retention—was only accorded just over two lines of text,” the report states.

“This lack of information from the Attorney-General [then Nicola Roxon - The Register] and her Department had two major consequences. First, it meant that submitters to the Inquiry could not be sure as to what they were being asked to comment on. Second, as the Committee was not sure of the exact nature of what the Attorney-General and her Department was proposing it was seriously hampered in the conduct of the inquiry and the process of obtaining evidence from witnesses.

“Importantly the Committee was very disconcerted to find, once it commenced its Inquiry, that the Attorney-General’s Department (AGD) had much more detailed information on the topic of data retention. Departmental work, including discussions with stakeholders, had been undertaken previously. Details of this work had to be drawn from witnesses representing the AGD.”

Data retention: “significant extension to the power of the state”

Since it represents the focus of the Australian political debate, let's look at what the PJCIS has to say.

Vulture South cannot claim to be expert in the rules of drafting parliamentary committee reports, so we're not competent to comment on what the committee “should” have recommended. It is clear, however, that the committee does not have the same sanguine view of data retention regimes as is put forward by law enforcement.

While acknowledging the “significant utility” stored data offers to law enforcement, the committee notes that “the utility of such a regime to the national security agencies is not the only consideration” that matters.

“A mandatory data retention regime raises fundamental privacy issues, and is arguably a significant extension of the power of the state over the citizen. No such regime should be enacted unless those privacy and civil liberties concerns are sufficiently addressed,” it notes.

It says that content should be excluded from data retention; that access to stored data should be tightly controlled; Internet browsing data should be excluded; that “where information includes content that cannot be separated from data, the information should be treated as content and therefore a warrant would be required for lawful access”.

All stored data should be encrypted by default, the storage period should be no greater than two years, and there should be a mandatory data breach notification scheme. Any data retention regime should be audited for compliance, with oversight both by ombudsmen and the Inspector General of Intelligence and Security.

Finally, the report recommends that the JPCIS review the scheme's operation annually, and that it conduct a review into the effectiveness of any scheme after three years.

The Register notes that the committee's hearings – and its drafting period – took place long before Snowden's leaks brought the privacy and government snooping debates to the fore, teaching the world at large that metadata (who called whom from which phone in which location) is at least as intrusive than capturing content.

Fewer wiretaps recommended

Unpicking the entire 300-page epic would take until the end of the week, but there are some other nuggets that deserve to be highlighted.

Who can conduct intercepts? – Access to intercepts is restricted only to agencies involved in “the enforcement of the criminal law, a law imposing a pecuniary penalty, or the protection of the public revenue”. In other worlds, world+dog, since even local governments could feasibly claim to fall under the last definition.

With more than 250,000 requests for access to telecommunications data in 2011, many privacy advocates believe the system is out of control. The JPCIS report believes a further review should reduce the number of agencies who can access telecommunications data.

Other key recommendations are:

The apparent neutrality of the report will disappoint privacy advocates and activists: the committee's terms of reference did not leave it free to (for example) recommend against data retention. ®