Controversial data retention laws were recently passed in March this year amidst privacy abuse concerns. The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 forces telecommunications companies and internet service providers (ISPs) to hold clients’ metadata for two years. Although this Bill was passed on the grounds of terrorism and serious crime prevention, access to the data is not limited to just investigations for these purposes, opening the door to security risks and concerns such as unauthorised data access by hackers for unlawful purposes.
Prior to the upcoming National Security Conference in May, Katie Miller, President of the Law Institute of Victoria, joins us to talk about the importance of metadata access to terrorism and organised crime investigation, the regime’s legal implications, and its impact on privacy rights.
How vital is access to metadata in the investigation of terrorism and organised crime?
Metadata (or as it’s referred to in legislation, “telecommunications data”) is obviously a useful tool for investigating crime and terrorism. This is clear from the number of disclosures made to law enforcement agencies every year – over 500,000 in financial year 2013/14, according to ACMA’s report, including 1,200 per week to Victoria Police. Accessing metadata appears to have become as routine as obtaining statements from witnesses. Whether it is vital, in the sense of necessary and critical, is a difficult question to answer. Law enforcement and intelligence agencies currently have limited reporting obligations in respect to metadata access and they do not keep records of the utility or criticality of accessed metadata to particular investigations or prosecutions.
The data retention regime has been criticised by privacy experts, civil libertarians, leading telcos and the media. Do you believe the legislation breaches privacy rights?
Yes. One of the most basic principles of privacy protection is, in essence, “don’t collect what you don’t need”. This principle finds expression in Australian Privacy Principle 3. Under the data retention scheme, massive amounts of information about every person in Australia who uses a phone or the Internet will be collected – even if those persons are never suspected of committing a crime. That is a clear invasion of privacy, even if the data is never accessed. It is also a security risk – the Law Institute of Victoria is concerned about who might access this data without authorisation e.g. hackers.
What are some of the other legal implications of the metadata policy?
The data retention law essentially authorises invasion of privacy on a mass scale, as well as setting up the infrastructure for a surveillance state. Collection of the data has been justified on the grounds of preventing and detecting terrorism and serious crime. Yet access to the data is not limited to investigations of serious crime or terrorism. The Law Institute of Victoria is concerned that this data, once created and stored, will be used for purposes other than investigating serious crime and terrorism. Some of those purposes will be lawful, others won’t be. For example, the data will be accessed for civil litigation, increasing the costs of civil litigation. The data may also be accessed by hackers for unlawful purposes, such as identity theft.
Can you briefly explain the key areas of importance to ensure the effectiveness of surveillance is successful?
Surveillance can be necessary for investigations. Any surveillance should be targeted, proportionate and based on information that supports a reasonable suspicion or belief that the subject of surveillance is planning or engaging in crime or terrorism. Surveillance should be subject to strong oversight, including external and judicial oversight. That oversight must occur throughout the surveillance, not just after the fact.
You’ll be part of a panel discussion on data retention and its role in strengthening national security at the upcoming National Security Australia Conference in May. What are you most looking forward to at the conference?
There was a relatively short period of time to debate the merits or otherwise of the Data Retention Bill. Consequently, opportunities for law enforcement agencies and privacy advocates to engage in meaningful conversation about data retention and its alternatives were limited. I’m looking forward to the conference bringing together experts in the fields of law enforcement and privacy to have the discussion that should have been had before the Bill was passed.
Catch Katie Miller on Day 2 of the upcoming National Security Conference 2015 (20-21 May, Melbourne), in a panel discussion titled “Will granting greater powers for data retention offer increased protection and strengthen national security?“.