WANTED: A plan to DESTROY metadata, not just retain it

Australian Police keep leaking or pinching data: if we must have metadata retention, laws must stop their stupidity

Australia's data retention proposal suggests the nation's telcos and ISPs need to store data for two years. But agencies accessing the data can seemingly keep it forever and are not, to date, required to securely store or destroy data they retrieve from the nation's putative data trove of personal information, miscalled "metadata".

The absence of discussion on these matters, in public or in the draft legislation, appears a remarkable oversight.

Seeking to confirm our understanding that this is the case, Vulture South contacted Graham Greenleaf of the University of Sydney, a research professor of law and information systems, co-founder and co-director of the Australian Legal Information Institute (AustLII), and co-founder of the Cyberspace Law & Policy Centre.

“Whether agencies can retain it 'forever' depends on what exemptions they have from privacy laws (which generally do include some eventual deletion obligations), but in any event there is nothing requiring them to delete it after two years, and we cannot generalise about how long they could legally retain it. The dangers are then similar to those arising from ISPs or telcos holding the data for long periods, or probably greater because of the functions of those agencies”, he replied via e-mail.

Professor Greenleaf pointed out that the Australian Privacy Foundation had included a long discussion of the issue in its submission to the enquiry conducted by the joint Parliamentary Committee for Intelligence and Security. That submission concluded that “the security risks inherent in the retention of personal data will increase significantly, because more (and more valuable) data will be retained for longer”.

Police integrity

The problem with keeping data in police computer systems, perhaps forever, is that there is a long history of police services misusing their access.

It's depressingly easy to find that there exists a litany of such cases. Here's a sample:

  • In 1994, this report by Greenleaf, originally from Privacy and Policy Law Reporter enumerates charges against NSW police officers and private investigators for “data trafficking” after an Independent Commission Against Corruption investigation;
  • Later the same year, the same source gives us “Thirty police obtain young woman's details”, “Police disclose address to stalker”, “Complaints sustained in 44 cases”, and “Two police officers face charges” (for abusing access to the COPS computer system.

The culture did not end: The Register can locate, without excessive effort, abuses of access to police computers in Victoria here and here; in Queensland here and here and here.

In Western Australia, the abuse was more direct, with police this year convicted of bugging a woman's car to see if she was cheating on one of them.

WA Police also suffered an “improper access” case in 2014.

In 2014, an Australian Federal Police officer was arrested for releasing “official AFP information to a member of the public”.

There are more, but you get the picture.

Preserving evidence

On the other hand, it's uncontroversial to state that police could argue a need to retain data with evidentiary value outside the period that telcos have to retain the data.

There are two reasons this matters. The first is that evidence relevant to one case may well be relevant to another; the second is that the evidence may be called for again, perhaps over many years, while appeals processes continue.

The requirement for preservation of evidence, however, creates another requirement: that whatever data is preserved must be protected both from accidental leakage or malicious access.

When The Register asked assistant commissioner of the Australian Federal Police, Tim Morris, about the citizens' capacity to trust police to hold the data, he provided a detailed response – describing the AFP's protections.

These, he said, include officers' ability to anonymously report others who abuse their access to data, and since arrests happen and prosecutions take place, The Register is in no doubt that the AFP's internal processes are working.

However, with regard to the Australian data retention regime, sanctions after the fact have this fatal flaw: they may not repair the damage done by the original breach, either of trust or of information.

It may well be that opponents of data retention have already lost. It is for that reason that Senator Scott Ludlam said the Greens would support amendments that improve the legislation (while voting against the whole), even if that led to accusations they were rolling over.

In those considerations, The Register hopes that some kind of proactive protections can be wrapped around data retrieved from telcos. Rather than relying on punishment after the fact, if data can be moved away from live systems as soon as possible, into long-term archives, at least a small measure of protection would be afforded to the public.

And a data destruction regime, so that police and security services get rid of what's no longer needed, is a must. ®

Sponsored: Becoming a Pragmatic Security Leader

Biting the hand that feeds IT © 1998–2019