#natsecinquiry FOI reveals more of the same: It’s still terrible

In May 2012, the Australian Attorney-General’s department announced a sweeping inquiry into Australia’s national security laws that spans the activities of police, intelligence agencies and the telecommunications industry – telcos being the choke point in the data tsunami.

The Government then published a discussion paper outlining what equates to a Christmas wish list for the Australian security sector. Among the worst of the proposals are: indefinite renewal of search warrants; reducing the penalty threshold for minor offences in order to allow surveillance of citizens for the most trivial of offences; allowing ASIO to remotely access a ‘target computer’ to add, delete or alter data; and a proposal to allow agencies to force you to give up your passwords.

Most alarmingly, the discussion paper makes reference to ‘tailored data retention periods of up to two years’ – the biggest red flag of them all – to keep every record of every phone call, SMS, email, chat and webpage visited, by every Australian.

Rather than focusing on how to pare back existing laws, which allow a myriad of government agencies to monitor communications with minimal judicial obstacles, the inquiry is seeking to expand them.

After nearly four months of persistent needling of the AGD’s Freedom of Information department, Pirate Party Australia Secretary Brendan Molloy has finally coaxed out a series of meeting minutes produced from the AGD’s consultations with the telco industry on the data retention proposals. The existence of these documents was known since 2010 but FOI application results at that time resembled a goth’s colouring book.

The documents date between 2009 and 2012 and are notable in part for the horrifyingly casual and ordinary way a bunch of bureaucrats and industry bigwigs are able to sit down and discuss implementing a total surveillance state over tea and sandwiches. Of course, the documents are heavily redacted. In a transparency famine, we have to make do with crumbs.

What is nonetheless revealing is just how advanced the data retention proposal was long before it became public. Government bodies ACMA , the DBCDE, as well as the Australian Federal Police have all been present at these meetings. We can see quaint little diagrams examining the merits of data storage models, although the issue of who will shoulder the cost burden is only referred to in passing. (The issue of who will pay for all of this remains a sore point, as attested by certain telcos at the public hearings in September 2012).

By December 2011, the discussions explore the conundrum of compelling telcos to actually implement a system that is further away from their ambit than Pluto: regulation, or a voluntary industry code?

The not-so-hidden hand of law enforcement agencies appears in discussions of access to data. ‘Centralised would be good, but the key issues are timeliness, data is available and is accurate. One stop shop – data normalised…Timeliness becomes more and more important particularly with cybercrime. Centralisation will be key to this process…Privacy issues in one storage facility insurmountable – but can be overcome with additional security…’

We get a window into the AGD’s clumsy conceptions of perception management. ‘Think about analogies used and descriptors. Position whole debate on a grown up debate about what should be in this space. This is the issue – high level principles before dealing with the detail.’

The 2011 document also covers the proposed length of data retention periods. At that time agencies were looking at keeping data for up to two years, which now seems modest after the AFP declared in September 2012 that they would like to see data stored indefinitely. Destruction clauses and audits are seen as merely ‘good’, if not an afterthought.

A few other tidbits piqued the interest of this writer:

– The recognition that IP addresses are not useful identifiers – a reference to finding ways to harvest ‘MAC’ addresses instead

– ‘What seeing [sic] in the marketplace is getting squeezed out of the application service layer. Apple launched application that will displace other carriers SMS business.’ (This appears to be a reference to Apple’s iMessage).

– One telco notes it ‘generally keeps consumer stuff [probably billing data] for two years for possible TIO investigations’. Let us wonder who that could be…

Where is the precise justification for such an illiberal proposal amongst these meeting minutes? It certainly isn’t found in the bland references to ‘privacy impact assessments’. Such is the cavalier attitude of the Australian security bureaucracy, a substantiated argument for retaining everyone’s data for years isn’t even considered necessary.

Beyond the smokescreen of investigating murderers, drug traffickers, pedophiles, fraudsters and the Chinese cyberwarriors who are purported to intrude Australia’s online networks daily, no government department, intelligence agency or police force has demonstrated detailed explanations for why and how blanket data retention could work to protect Australia and not be a hideously expensive privacy Chernobyl all at once.

If anything, the annual report of Telecommunications Intercept Act requests shows that access to data by authorities is far from restricted – it is already routine, and excessive. The total number of interception warrants for the period 2010-2011 numbered 243,641 – and that’s excluding ASIO’s requests.

In the ensuing months from the day the inquiry was announced, the public baulked. Tweets began flowing with the tag #natsecinquiry attached, with Australians launching into what they (rightly) saw as a war on the basic rights to privacy, freedom of expression, and the right to association. (And in a masterstroke of mischief, the then Attorney-General Nicola Roxon was party to many of those tweets courtesy of the hashtag #ccRoxon, which automatically sent her office an email with every tweet bearing that tag.)

The Attorney-General’s department, ASIO, and the Australian Federal Police have all stepped up to the podium in recent months, caps in hand, to plead that we simply trust them not to abuse their power. If only it were that easy. ”I know it’s a big ask, but we’re asking people to trust us,” AFP Assistant Commissioner Neil Gaughan told the Canberra Times in October. Gaughan was forced to admit he was unaware of news broken in June that Telstra had already been secretly archiving the web browsing activity of its users, even though the AFP had actually received requests by outraged customers to investigate the matter.

Then there’s the repeated obfuscation from the government about what ‘communications data’ actually means. The AGD, state and federal police and intelligence agencies alike have all given us confusing definitions of precisely what data it is they wish to collect. One mantra being repeated by some, including the AFP, is the need only for ‘traffic data’ – date and time stamps of phone calls, sender, recipient and email subject data, URLs, but not the actual ‘contents’ of an email, phone call or webpage. As an argument coming from agencies that practice interception of communications on a daily basis, this distinction is highly disingenuous.

If the AFP has requested a list of every URL for every web page visited by an individual, they will certainly be able to access the content of that web page, as the function of URLs is to point to content. A recent study by Lukasz Olejnik, Claude Castelluccia and Artur Janc found that 70% of internet users could be uniquely identified based on their web browsing history alone.

Even more incriminating is the picture that ‘traffic data’ provides. Over the course of six months for example, authorities will be able to find out every train you caught, every home you visited, every bar you went to, every doctor you saw, and who you associated with, simply from accessing the data that contemporary smartphones collect on their users via geolocation data (GPS) and mobile phone towers. It’s a very detailed mosaic of someone’s life indeed.

As Australia’s record of corruption inquiries shows, surveillance powers are prone to abuse in the hands of the police, no matter how well-intentioned the legislation is. (See the Fitzgerald Inquiry, for example).

In a rare interview with ABC’s Radio National, ASIO Director-General David Irvine bristled at the suggestion that ASIO officers may be in a position to abuse their powers to spy on people arbitrarily: “We don’t have the time to do it. We don’t need to do it!”

Last year, the Department of Resources, Energy and Tourism confirmed ASIO’s involvement in monitoring anti-coal mining protests, after documents released under FOI confirmed the same. Martin Ferguson, Minister for Resources, Energy and Tourism, had urged the then attorney-general Robert McClelland in September 2009 to see whether ”the intelligence gathering services of the Australian Federal Police” could be ”further utilised” to assist energy companies in combating environmental activists.

And as we’ve seen with Wikileaks, the Arab Spring, Occupy and Anonymous movements, all which have been forged with internet technology, so intense is the fear from authorities of this networking power being available to the public, the government is willing to curtail our most basic liberties in order to maintain control of it.

We are in an era of transnational harmonization of internet law. The last three months alone have seen a sequence of agreements between governments, the military and the private sector to share information and redefine the internet as a battlefield on their own terms.

With 2013 being an election year in Australia, any meaningful public debate about surveillance and privacy is guaranteed to be sidelined; ordinary citizens barely have a chance to understand what these agreements truly entail, much less a chance to argue against them. The geeks and activists can’t fight this one by themselves.

Here we arrive at the uneasy tension between the need to maintain social order, and the right to be left alone; the right to express ourselves without fear that off-the-cuff remarks made over the wires will be used against us five, ten, twenty years down the track should be the right that wins in the end.

(For further reading on the Australian Attorney-General’s approach to policing the internet, check out Renai LeMay’s excellent overview here. Analysis by Bernard Keane of Crikey on this FOI story is also recommended reading.)