Chapter 4

Chapter 4

Law enforcement challenges arising from online technological advancements

4.1        While new technology has created numerous privacy protection issues for individuals and regulators in the online environment (as discussed in chapter 3), developments in web-based technology have also made it possible for individuals and organisations to obscure their identities in a range of circumstances. This has created a number of challenges for law enforcement, and led to a recent controversial proposal from the Attorney-General's Department to require internet service providers to retain specified personal data for law enforcement purposes.

A data retention proposal

4.2        A number of submitters commented on reports and rumours that the Commonwealth Attorney-General's Department was considering implementing a mandatory data retention framework.[1] Prior to this inquiry, very little was known about the proposal, and submissions relied on information from scant news reports.

4.3        On 16 June 2010, an article was published on ZDNet, a website dedicated to technology news and discussion, reporting that the government was considering implementing a mandatory data retention regime similar to that in place in the EU.[2] The ZDNet report explained that:

Data retention requires telecommunications providers, including internet service providers (ISPs), to log and retain certain information on subscribers for local enforcement agencies to access when they require it.

The regime sees certain data logged before any suspect is identified, meaning that every internet users' online activities are logged by default.[3]

4.4        The report also noted that various ISP sources have claimed that the mandatory data retention regime 'could extend as far as each individual web page an internet user had visited', however the Attorney-General has denied that web browser history would be logged.[4]

4.5        Ms Catherine Smith, Assistant Secretary, Telecommunications and Surveillance Law Branch, Attorney-General's Department, reiterated this point when she appeared before the committee, also explaining that the government is only considering the retention of 'metadata' in relation to online communications, and not content.[5]

4.6        Ms Smith also emphasised that no decision has been made by government yet about whether to implement such a regime:

I should say that no decision has been made by government about a data retention proposal.[6]

4.7        However, even at this early stage, there was a lot of confusion amongst witnesses about the specifics of the proposal and particularly about what information would and would not be retained. It seems that this is due to the limited range of organisations with which the Attorney-General's Department has consulted on the proposal at this stage.

4.8        A number of witnesses expressed concern about the lack of consultation during the development of the data retention proposal. For example, the Law Institute of Victoria (LIV) criticised the lack of consultation and transparency in the development of the policy to date.[7] Similarly, Dr Clarke, Chair, Australian Privacy Foundation (APF), informed the committee that the APF had been 'unable to get a place at the table in discussions on this matter'.[8] Dr Clarke continued:

The government will not consult with us. They will consult with industry; they will not consult with civil society. When I say ‘us’, there is no reason why the APF has to be chosen as one of the organisations that government agencies interact with if there are other alternative organisations that cross into the same space. Civil liberties organisations do; in other contexts, consumer organisations do. Our argument is that civil society is not being engaged...[9]

4.9        Officers from the Attorney-General's Department disputed this, informing the committee that:

We actually did consult with a broad range of people and have done so over some time within the industry.[10]

4.10      Ms Smith specified that the Department had consulted with the following organisations:

4.11      Ms Smith concluded that:

It was very broad consultation within government and industry.[12]

4.12      Ms Smith explained that the purposes of consultations on the data retention proposal to date were 'for the purposes of developing a model, not to actually consult on a model'.[13] She argued that the proposal is not yet at a stage where it was appropriate to begin consultations with public interest and privacy advocacy organisations:

In regard to the development of this particular issue, to date we are still not at a point where we think it is suitable to actually go out for that further consultation. In any policy development, you have to look at the outcome you are trying to achieve, the problem and how to address the problem, and you have to talk to the key stakeholders to see what is viable. When I say key stakeholders, I am talking about the agencies and the industry that are going to be primarily working to effectively build a solution. We do not want to pre-empt consultation with the public until we have a view around what that could possibly be.[14]

The EU mandatory data retention scheme

4.13      A model of mandatory data retention has existed in the European Union since March 2006. EU Directive 2006/24/EC requires Member States to adopt measures to ensure that metadata related to email, telephony and internet access is retained for between six months and two years.[15]

4.14      Metadata is the information about the communication—the time and location—proving the fact that it occurred, rather than information about its content.[16] The EU Directive specifies that member states must require the retention of the following metadata:

4.15      Article 5(2) provides that 'no data revealing the content of the communication may be retained pursuant to this directive'.

4.16      The EU Directive is still in the process of being implemented into national law, however in some countries where it has already been implemented, the laws have attracted significant controversy. For example, EFA noted:

In March this year [2010], Germany's Federal Constitutional Court suspended German law implementing the Directive, ruling it was unconstitutional. Among other reasons, they cited a lack of transparency in the potential uses of the data.[18]

4.17      Mr Jacobs, Chair, EFA, informed the committee that in that case:

The judge pointed out that even though it was just the data about communications there would be sufficient data gathered to enable the compilation of a profile on somebody’s interests, which political party they might be leaning towards, et cetera, and that it was out of proportion to the needs of law enforcement.[19]

4.18      There has also been criticism of the Directive by other EU members and by prominent civil liberties organisations. For example, Mr Jacobs explained:

Sweden has declined to implement the directive and so they are subject of a suit by the European Commission. In Romania a court found that the data retention provisions violated the European Convention on Human Rights. Also the ACLU [American Civil Liberties Union] and others have come out and claimed that data retention schemes such as this one are in violation of the Universal Declaration of Human Rights, and I believe that others have pointed out in their submissions to the committee that you would violate the National Privacy Principles in Australia including fairness, being unobtrusive, and collecting data only for its stated purpose.[20]

4.19      When asked about the impact of the EU directive on Google's global operations, Mr Flynn, Head of Public Policy and Government Affairs, Google Australia said:

Our view is that any requirement to retain data to enable the investigation and detection and prosecution of serious crimes has to be proportionate to the resultant privacy impact and anonymity loss for internet users, as well as the costs to search providers of implementing something like that. I guess the key thing that we would take out of it is transparency. That is something that we emphasise in our efforts around privacy and we think it is very, very important.[21]

4.20      Mr Flynn continued:

On the transparency front, we have launched a tool which you may have seen. It is a website and it actually gives details of the requests we get from governments around the world for two things. One is for data on users and the second is requests to remove content from our different services—like YouTube, for example. We think it is important because it is a step on the road to having greater transparency around these kinds of efforts and we think that is important. We would be interested to see others in industry take the same kind of approach.[22]

Current practice in Australia

4.21      Currently in Australia the data retained about an individual's online communication and internet usage may be used for law enforcement purposes in certain circumstances.

4.22      Australian Internet Service Providers (ISPs) are required to comply with the Privacy Act 1988 with respect to personal information of their customers. However, they are also required to:

4.23      Under Part 4-1 of the Telecommunications (Interception and Access) Act 1979 the head, deputy head or authorised officer of a law enforcement agency may authorise the disclosure of documents or information if satisfied that the disclosure is reasonably necessary for the enforcement of criminal law, to impose a pecuniary penalty, or to protect public revenue.[24] The content or substance of communications (e.g. the contents of an email) cannot be obtained through this method, only the metadata.[25]

4.24      Authorisation may also be given for information likely to be collected in the future if the authorised officer is satisfied that such disclosure is reasonably necessary for the investigation of an offence punishable by imprisonment for at least three years.[26]

4.25      In order to obtain the content of online communications, law enforcement must obtain a warrant.[27]

4.26      Ms Smith, Assistant Secretary, Telecommunications and Surveillance Law Branch, Attorney-General's Department, advised the committee that while law enforcement agencies currently have the legal power to access the metadata from online communications, through the above described method, they can only do so if the relevant online service provider has retained the metadata, which there is currently no requirement for them to do.[28]

4.27      Ms Smith explained:

The development of a data retention proposal is intended to ensure a national and systematic approach is taken for the availability of telecommunications data for investigative purposes. Data retention would not give agencies new powers. It would ensure that existing investigative capabilities remained available.[29]

4.28      Ms Smith informed the committee that 'telecommunications data is an important investigative tool' which provides 'important leads for agencies, including evidence of connections and relationships'.[30] Law enforcement agencies have come to rely on the information kept by traditional methods of communication, such as fixed‑line phones. Ms Smith explained:

In the good old days when we all had a fixed-line phone there was information kept about—for example, I called someone, their phone number, for how long, how much it cost, all that sort of information.[31]

4.29      Data about that telephone call, which was collected by the telephone company for billing purposes, could then be used by law enforcement agencies following the procedure under the Telecommunications (Interception and Access) Act 1979 for investigations, and to provide evidence justifying a warrant, for example for a telephone interception.

4.30      However, more modern forms of communication, such as Voice over Internet Protocol (VoIP), and email do not require providers to retain detailed information for billing purposes. Ms Smith told the committee:

Internet based service providers tend to charge on the quantity of data used rather than on a per call basis. Over time, as telecommunications services such as voice-telephone migrate to voice-over-internet based services, less and less information will be retained and stored. Therefore, this means that traditionally available telecommunications data—as: ‘Person X called person Y at this time’—may no longer be available.[32]

4.31      This means that the information is less likely to be retained by providers, and therefore, even though law enforcement may have the power to obtain it, it does not exist. Ms Smith explained:

Despite the increased reliance on telecommunications data and the acknowledgement of the importance of telecommunications data, industry have confirmed that there will be changes to and reductions in the type of telecommunications data which will be retained into the future. They indicate that this is a natural evolution as a result of advances in technology and business models. For example, the telecommunications sector is quickly migrating from the traditional telephone network to internet protocol based networks.[33]

The government's proposal

4.32      The Department's proposal for a mandatory data retention scheme is 'intended to ensure a national and systematic approach is taken for the availability of telecommunications data for investigative purposes'.[34]

4.33      At this early stage, it is proposed that metadata 'about the process of communication, as distinct from its content' is retained by telecommunications and internet service providers.[35] Ms Smith, likened this metadata to the information retained by fixed-line phone companies for billing purposes—information about who contacted whom and when.[36]

4.34      Ms Smith emphasised to the committee that no decision has yet been made by government about a data retention proposal.[37] However, the Department has developed a 'data set' of the categories of information to be retained and has also engaged in discussions with industry about the data set and the period for which data would be retained.[38]

4.35      Those consultations revealed that:

Advice from industry is that the majority of information that is included in that draft data set is currently retained. The issue is the length of time it is retained for. Some of the information is retained for days whilst some of it is retained for years. Some of that information is retained for audit and taxation purposes. Each individual industry participant currently holds a vast amount of information on every one of their customers.[39]

4.36      The Australian Federal Police (AFP) argued that a mandatory data retention scheme would not give the police additional powers, and that 'all we are asking for here is for the status quo to remain'.[40]

4.37      Assistant Commissioner Gaughan gave an example of when communications metadata has proven useful for law enforcement purposes, of Operation Centurion, a child pornography investigation:

Centurion was a 2008 investigation in which the AFP received a number of referrals in relation to a particular activity. All we received to commence our investigation with were a number of Australian IP, internet protocol, addresses. As a result of that investigation we were able to go back to the metadata and ascertain that there were a large number of Australians who were involved in possessing child abuse material, because the ISPs had retained that information, which enabled us to then take actions in progress. As a result of that we executed in excess of 340 search warrants, we arrested in excess of 140 people, we seized 400,000 images and, more importantly from my perspective, we actually saved four children who were potentially at risk from child abuse. Without that metadata being retained, the AFP cannot do those types of investigations because we will not have that information to backtrack.[41]

4.38      In a private session, the committee heard details of a range of other ongoing investigations, which the Department and the AFP argued demonstrated why telecommunications data is an important investigative tool.[42]

Criticisms of the data retention proposal

4.39      The Attorney-General's Department's proposed data retention scheme attracted a great deal of criticism from witnesses and submitters. Major arguments against the proposal included that it:

Breach of privacy principles

4.40      The Law Institute of Victoria (LIV) submitted that the proposal is inconsistent with the National Privacy Principles, as the information collected is unnecessary for both the functions of the ISP and in the vast majority of instances for law enforcement agencies.[43]

4.41      Specifically, the LIV identified that the proposal contradicts NPP 4.2 which relates to the time period that information is retained. NPP 4.2, which is included in proposed APP 11 in the government's Exposure Draft of amendments to the Privacy Act, provides that any personal data which is held by an organisation and is no longer required for the purposes for which it was obtained, should be destroyed or de‑identified. Ms Miller, Law Institute of Victoria, argued:

Our opinion of that principle when applied to this policy is that this information could potentially be retained indefinitely because, basically, how is an ISP to know when a law enforcement agency no longer needs the information that is being collected for them?[44]

4.42      Ms Miller explained that requiring ISPs to retain enormous quantities of data for an extended period also leads to concerns about data security:

There is also a concern about the sheer magnitude of the information that needs to be collected. That would all need to be stored somewhere, and the ISPs would have obligations under the National Privacy Principles to protect against the misuse of that data. The sheer scale of the information collected raises questions about how that would happen.[45]

4.43      The Privacy Commissioner, Mr Pilgrim, agreed that this was a concern:

One of the issues that we face when we are looking at the retention and collection of personal information are the risks that are going to be associated with holding information for a long time when there may not be necessarily a clear or defined purpose for it. If you hold information—whether it be in databases or even if we look at it in the old style of a filing cabinet—and have it sitting around for a long time there is often a great risk that something could happen to it. It could be mishandled or used for inappropriate purposes.[46]

4.44      The LIV also raised concerns about the inconsistency of a data retention scheme with NPPs 8 and 10 (which are included in proposed APPs 2 and 3 respectively). Ms Miller argued that:

The problem with the amount of information that is being collected about people is that it renders it almost impossible to be anonymous, because of the profile that can be developed about you. Also, some of the information may include ‘sensitive information’, as defined under the principles, which is things such as gender, political opinion, sexual preferences and health information.[47]

4.45      Mr Jacobs, Chair, Electronic Frontiers Australia, noted that even though the government is not proposing to require ISPs to retain the content of online communications 'it is still very, very possible to use information of the kind that you described—when an email was sent and to whom—to build up a profile of somebody’s habits'.[48] Mr Jacobs argued that this level of monitoring is unnecessary and invasive:

Even if you do not know the content of the webpage that somebody viewed or the information that they posted in a form when they interacted with the website, just knowing what websites they go to and the fact that they are using them would enable you to build up a full profile of somebody’s interests and habits.[49]

4.46      Mr Jacobs argued that the proposal has significant privacy implications, describing it as 'mass surveillance':

The scheme as proposed has huge drawbacks as well for a society, and we have yet to hear a very good case for why such power should be necessary. We do not think it is hyperbolic to describe such a system has ‘mass surveillance’ because it does involve the most private communications of pretty much everybody in the country who uses the internet for communication—and if it is not everybody yet, it is going to be.[50]

4.47      Furthermore, Mr Jacobs argued that there was no justification for the proposal:

I have not heard a compelling case that the system we have now is broken. With a warrant, with a court order, a law enforcement agency can go to a company that provides email services, like Google or Yahoo, or to an internet service provider and determine the identity of somebody who was at a particular IP address or view their emails. Until I hear a compelling case that that is just not enough data, that we need to go further back in time, that we need to have the information on everybody, whether or not they are of interest to law enforcement at the moment, we certainly cannot support the data retention proposal.[51]

4.48      The Privacy Commissioner, Mr Pilgrim, agreed with the general principles espoused by EFA, Liberty Victoria and the LIV, and was uncomplimentary about the proposal generally (although he did not comment on its specifics). Mr Pilgrim stated:

A central principle in the Privacy Act is that agencies and organisations should only collect the personal information that is necessary for their functions or activities. Generally, my office would not support the collection of personal information on the chance that it may be just useful at some later date. As noted in our submission: ... broad scale collection and retention of web browsing information could significantly impact on the privacy of individuals.[52]

4.49      Mr Pilgrim explained that it is important to ensure that for any data retention proposal:

...we need to first of all understand what the exact problem is that is trying to be responded to by proposing something such as data retention. Is the response—be it setting a timeframe of six months, one year, two years or however many years—proportionate to the risk that is being proposed? You need to clearly understand what the risk is that we are trying to address by maintaining and keeping this information.[53]

4.50      Mr Pilgrim suggested that before any proposal is implemented a privacy impact assessment should be done to identify the risks to privacy, including requiring ISPs to hold personal data for an extended period of time.[54]

4.51      Mr Pilgrim also noted that:

One of the other key issues that we would need to see addressed in any proposal for data retention is what the accountability mechanisms are going to be. Are there sufficient accountability mechanisms to ensure that if that information is being held it is being held securely and that it is not being misused or used for any other purpose that would be beyond the expectation of the individual? Finally, there should be review mechanisms to ensure that those processes are in place and to make sure that, for example, the risk that led to the establishment of those sorts of proposals is still there and still warrants that sort of retention.[55]

4.52      The importance of accountability and appropriate oversight was also emphasised by the Rule of Law Institute and Electronic Frontiers Australia.[56]

The proposal treats online and offline information differently

4.53      A second key concern of submitters and witnesses opposed to the data retention proposal was that it treats online and offline information differently. Ms Miller of the Law Institute of Victoria, noted:

The best way of illustrating that is simply to point out that if this proposal was that all mail sent and received within Australia be logged and retained for seven years, or that all phones be intercepted and recorded, then I think it is not stepping outside the bounds of my expertise to say that there would be significant public outcry. What we have here is the electronic equivalent, and it really means that the government is proposing to treat online privacy in a way that is different to offline privacy simply because the technology makes it possible.[57]

4.54      Ms Miller argued that there is no justification for treating online and offline privacy differently:

I do not think that people make that distinction in their personal lives, their private lives, their professional lives. We do not think that it is appropriate that the parliament make a distinction in legislation between online privacy and offline privacy.[58]

4.55      Ms Miller surmised that when it comes to the possible benefits of technology, law enforcement agencies seem to ask 'Can we do it?' as opposed to 'Is it appropriate or reasonable to do it?', and use invasive investigative techniques because they can, rather than because it is appropriate.[59] She argued:  

The question should always be ‘Is it appropriate and reasonable?’ It should not be the case that just because we can we will.[60]

4.56      Mr Pilgrim, Privacy Commissioner, agreed that it is not appropriate to distinguish between online and offline privacy simply because it is possible:

I would say that my position is that I would favour a consistent approach to data protection. I have not seen demonstrated necessarily why there should be any difference between whether the information is being handled online or offline. I have not seen a strong case put forward to explain that to me. [61]

4.57      In response to arguments by the Attorney-General's Department and the AFP that the proposal simply retains the status quo, requiring the retention of the same information that is available in relation to fixed-line telephone calls to be retained for online communications,[62] many witnesses strongly disagreed. For example, Ms Miller argued:

The first distinction that I would make between call charge records and metadata of internet websites is that a phone number is just a phone number unless you have other information to interpret what the phone number is. And even if you know who owns the phone number and who the usual users of that number might be, you still know very little about the content of the conversation. I would suggest that when it comes to websites the website address and the type of information that is commonly found on that website can in fact be readily ascertained, even just from the metadata. So, even if the proposal is restricted to metadata as opposed to the actual web pages, there is still a great deal of extra information that can be obtained that you could not get from something like a call charge record.[63]

4.58      Another difference that Ms Miller noted was the important fact that data relating to fixed line telephone calls is collected for billing purposes, not law enforcement purposes. ISPs do not need to retain metadata for billing purposes, so that 'the only reason that they would be collecting this information is because it might be useful to law enforcement agencies not because of how they provide or charge for their service'.[64]

4.59      The LIV argued that this is inconsistent with key recommendations in the ALRC's report on Australian privacy law and practice,[65] submitting that:

The large-scale collection of personal information by governments because it may be helpful to some government functions, rather than because it is necessary, constitutes a serious threat to online privacy. The power of the internet should not be used by governments to achieve measures of control that would not be possible without the internet.[66]

4.60      Ms King-Siem, Vice President, Liberty Victoria agreed:

I understand security issues, but this is where you take a targeted approach where there is a justification and reasonable suspicion that that information is required, not collect information and worry about it later. I think there is a tendency both at government and at corporate level—and in fact it is perhaps just a natural tendency—to collect more than you need and then swallow it later.[67]

Will the data be useful for law enforcement

4.61      Finally, a number of witnesses and submitters questioned whether the data proposed to be retained would even be of use to law enforcement.

4.62      The LIV argued that the proposed regime would be 'unworkable for law enforcement agencies' due to the huge amounts of data collected.[68]

4.63      Ms Miller, LIV, also argued that the proposal is unnecessary as:

Law enforcement agencies can currently apply for warrants to obtain information such as browsing histories from ISPs. If there is a concern that some ISPs do not contain significant browsing history, then the LIV considers that that can be dealt with on a case-by-case basis.[69]

4.64      There is also a risk that a data retention scheme will be ineffective because criminals and others wishing to evade detection will simply use the various mechanisms available to them to hide their online identity. The committee received evidence of various international online services dedicated to protecting the identity of domain name owners. For example, Fraudwatch International submitted that:

Some domain registrars now provide a "Domain Privacy Protection" service, where the domain owners contact information is not listed in the WHOIS database, but is replaced by standard contact information for either the domain registrar or the privacy service, making it virtually impossible to actually find, or contact the real owner of the domain.[70]

4.65      This obviously makes it incredibly difficult to identify the owners of fraudulent phishing websites and shut them down. Mr Trent Youl, CEO, Fraudwatch International, informed the committee that:

One of the issues we face when we are trying to have phishing websites taken down is that we find a hacked website and suddenly we cannot contact the website owner because their information is hidden. If the website owner has subscribed to this type of service that is apparently protecting their privacy and they do not have any contact information on their website, which many websites do not, it makes it very difficult for us sometimes to do our job and get these fraudulent websites taken down as quickly as possible.[71]

4.66      Fraudwatch submitted that domain privacy protection:

...allows people to anonymously run websites which may be using dubious business practices, fraud, or theft [and] it allows criminals to hide their contact information and appear to be legitimate.[72]

4.67      There is a good chance that increased law enforcement monitoring of online communications will result in the proliferation of this, and similar options for internet users to hide their identity, provided that they are sufficiently tech-savvy. Mr Jacobs, Chair, EFA, explained:

Given that you can host a website in any country and given that regulations vary, the way the internet works is anonymity is something that is probably going to apply to people who run websites as well as people who use them. So I think it is inevitable that such technology will exist. We will see a bit of an arms race when it comes to the technology itself and, perhaps, with the laws; but, no, I do not find that surprising. I think it is inevitable. We will have to have other ways to deal with it.[73]

4.68      There are already services available for consumers who wish to evade the EU's data retention scheme and other monitoring, such as Tor[74] and the Invisible Internet Project (I2P).[75]

Committee comment

4.69      The committee has a number of concerns, both with the Attorney-General's Department's data retention proposal itself, as well as with the way the consultation process has been handled so far.

4.70      There is a lot of misinformation and rumour about the scheme, and it seems to the committee that this is largely due to the Attorney-General's Department's narrow consultations on the issue to date. While industry has been consulted, there has not yet been any discussion with the broader community or public interest and civil liberties organisations. While the committee acknowledges the Attorney-General's Department's explanation for this,[76] the lack of information available to the public about the proposal has resulted in confusion, mistrust and fear about the proposal.

4.71      The committee's central concerns about the proposal are the very real possibilities that it is unnecessary, will not provide sufficient benefit to law enforcement agencies, and is disproportionate to the end sought to be achieved. The proposal has very serious privacy implications, even if one accepts the arguments of the Attorney-General's Department and AFP that the same information is already available for fixed-line telephone records. The fact is that much of the information intended to form part of the scheme does not need to be collected for any other purpose, so the only reason to retain it is the mere possibility that it may prove useful to law enforcement. This seems to the committee to be a significant departure from the core principles underpinning Australia's privacy regulation.

4.72      Furthermore, the committee considers that there is a very real risk that the most serious, tech-savvy criminals—particularly those involved in fraud and child pornography—will be able to evade monitoring in any respect as a result of technological developments.

4.73      Accordingly, the committee urges that prior to any proposal for data retention going any further, an extensive analysis of the costs, benefits and risks of such a scheme must be undertaken. Before pursuing such a scheme, it is incumbent upon government to:

Recommendation 9

4.74      The committee recommends that before pursuing any mandatory data retention proposal, the government must:

4.75      The committee notes that the government is reviewing cyber security and cyber crime as part of its response to the recommendations of the recent House of Representatives committee report into Cyber crime (see paragraph 1.7).[77] The committee encourages the government to take the recommendations contained in this report into account in that review. The committee also expects the government will respond separately to the recommendations made in this report in the usual manner, noting that the Senate has declared that responses should be tabled within 3 months.[78]

Senator Mary Jo Fisher                                        Senator Doug Cameron
Chair                                                                        Deputy Chair

Senator Scott Ludlam

Navigation: Previous Page | Contents | Next Page