The Government has officially introduced a Bill into the House Of Representatives today that would compel ISPs and telcos to store your data for a prescribed amount of time. This is everything you need to know about who will store your data, how long it will be kept for, and who can access it.
Wait, What's Going On?
If you've been living on the Moon for the last six months, here's a quick backgrounder.
As part of a new anti-terrorism push, the Coalition Government led by Prime Minister Tony Abbott is looking to push through three pieces of new legislation.
The first Bill — which has already been passed into law — grants our law enforcement agencies more powers to hunt for bad guys; the second Bill is called the Foreign Fighters Bill and looks to establish "no go zones" for Australian travellers in a bid to stop locals leaving the country to train as lone-wolf terrorists; and the third is an amendment to the Telecommunications Interception Act which would compel ISPs and telcos to store customer metadata for the purposes of intelligence gathering and law enforcement for a period of two years.
The third bill for the TIA Amendment is the one being introduced into Parliament today, and that's the one that's most likely to upset Aussie geeks and privacy advocates.
So What's Being Stored, And For How Long?
Let's be clear: this is still just words on a piece of paper currently being argued over in Parliament. For a Bill to be passed into law, it first has to be read several times in the House of Representatives, before being passed up to the Senate or house of review. There it's debated over by, in this case, Senators who vehemently dislike the idea that Australian law enforcement agencies will be gathering up haystacks worth of metadata based on the threat that one day there might be a needle hidden inside of one.
Cross-bench Senators as well as Senators from the Australian Greens are opposed to the legislation, and have been for some time.
The Bill's passage through the House of Reps may also be slowed. Sources within the Opposition have told us this morning that the Labor Party will have to seriously consider the Bill before officially responding, rather than provide immediate bi-partisan support.
Either way, this is the last Parliamentary sitting day of the month, and the Parliament doesn't sit again until late November, so we have some time before things kick off in earnest once again in Canberra. Speaking at a press conference this morning, Attorney-General George Brandis wouldn’t be drawn on whether the Bill would be passed before the end of the year.
Here's what we know right now.
The Government has gone to pains to explain that it just wants your metadata captured by the new legislation, rather than what it calls "content".
Data like who called who when, which phone number was being used, basic customer account data like addresses and other relatively harmless data.
So where is the line being drawn?
Well, the government specifies that it doesn't want "session data" generated by customers. Here's an excerpt from the explanatory memorandum:
Under proposed paragraph 187A(4)(b), the retention obligation is explicitly expressed to exclude the retention of destination web address identifiers, such as destination internet Protocol (IP) addresses or uniform resource locators (URLs). This exception is intended to ensure that providers of internet access services are not required to engage in session logging, which may otherwise fall within the scope of the destination of a communication.
That means the government will be looking to store the date, time and duration of a communication (be it via web, phone or text), rather than the specific content of web browsing. That means the Government will know which IP addressed you browsed from and how long, but not the pages that you visited. Similarly, metadata would indicate who you called or texted and for how long it went for but not the content of the message.
Communications Minister Malcolm Turnbull said in a press conference this morning that the Bill isn't about garnering any "new" information, rather it's about creating a standard for data storage and duration of storage.
Law enforcement agencies can access content, but not under this legislation. For that, said agencies will require an explicit warrant. From the memorandum:
Accessing content, or the substance of a communication (for instance, the message written in an e-mail, the discussion between two parties to a phone call, the subject line of an e-mail or a private social media post), without the knowledge of the person making the communication is highly privacy intrusive and under the TIA Act can only occur under an interception or stored communications warrant, or in limited other circumstances such as in a life-threatening emergency. Interception is subject to significant limitations, oversight and reporting obligations. None of these arrangements are affected by this Bill.
Your metadata is going to be stored, as expected, for a period of two years. Storage regulations will be set up by the government to keep everything safe.
Basically, the government wants to store your data in order to smash individuals participating in the sharing of child exploitation material, planning criminal acts including terrorism and generating a trail of evidence in investigations to either rule in, rule out and successfully prosecute
Who Can Access Your Metadata?
During recent hearings relating to metadata access, concerns were expressed that tens of agencies were able to access metadata without a warrant in connection with various investigations.
In order to shore up access regulations and to cut down on abuse of warrantless access to metadata, the Government has specified which agencies will be allowed warrantless access to metadata stores, and which will need to actually apply for permission (emphasis added):
While telecommunications data is less privacy intrusive than content, law enforcement and national security agencies can only access data where a case can be made that this information is reasonably necessary to an investigation. This Bill will further strengthen privacy protections in the TIA Act in relation to data by limiting the types of enforcement agencies that can access telecommunications data.
Currently any authority or body that enforces a criminal law, a law imposing a pecuniary penalty or a law that protects the public revenue is an ‘enforcement agency’ under the TIA Act and can seek telecommunications data where that access complies with the requirements set out in Chapter 4 of the TIA Act. In 2012-2013 data was accessed by around 80 Commonwealth, State and Territory agencies with criminal law or revenue protection functions.
The Bill will require that bodies who are not a ‘criminal law enforcement agency’ for the purposes of the TIA Act must be declared by the Minister to be an ‘enforcement agency’ before they can authorise the disclosure of telecommunications data. These amendments will ensure that only authorities and bodies with a demonstrated need to have telecommunications information can authorise the disclosure of this information. These amendments are consistent with Recommendation 5 of the PJCIS Report that the number of agencies able to access telecommunications data be reduced.
Does Anyone Care About Your Privacy?
The Government will also appoint several safeguards to make sure that metadata access isn't being abused:
The Bill will further enhance privacy protections by introducing an independent oversight mechanism for access to data by law enforcement agencies. Under these provisions the Commonwealth Ombudsman will, for the first time, have the power to inspect the records of enforcement agencies to ensure that agencies are complying with their obligations under the TIA Act. The Inspector-General of Intelligence and Security (IGIS) currently oversights and will continue to oversight access to telecommunications data by the Australian Security Intelligence Organisation (ASIO).
ISPs like iiNet have consistently warned that a massive cost would come with metadata storage. The government today has agreed with that assessment, but promised to contribute "substantially" to the creation and ongoing cost of the metadata retention program.
Turnbull said at this morning's press conference:
There are some ballpark figures being thrown around but they are at this stage not of sufficient accuracy for me to be citing. We will work through that will the PCJIS and of course we have a working group…and the Secretaries of the Attorney’s department and my department. We don’t have a final figure at this point. The estimates are getting more accurate but it’s something that will be refined in the course of the consultation.
Whether or not you'll pay more for metadata storage remains to be seen.
Is It Secure?
Various telcos, including Telstra, has expressed concern that the storage of large amounts of metadata at rest in a datacentre creates a "honeypot" for hackers. To address that concern, Malcolm Turnbull outlined plans to introduce new security regulations to protect Australia's telephone networks.
Speaking at a press conference this morning, Turnbull said that ultimately, storage is up to the telcos:
“Securing data safely is the responsibility of the telcos. They’re very alert to data security already. We are presently preparing new legislation which will strengthen…the security of Australia’s telecommunications structure or system, and that would add to that security and we expect those new laws and amendments to be in place before the 18-month implementation period is complete. [Security] is clearly in the hands of the telcos.
Most of the categories that we’re talking about in terms of data - telephone metadata — are being kept by phone companies…for up to 7 years. This is anticipating a change in that. There are some ISPs that have been storing data that they have hitherto kept for long periods down to short periods or at all. In an IP world, there isn’t a business need for them to do so. We’re asking them to do something which they’re either doing or supremely capable of doing, or which they may not in the future have a business need to do so. We’re talking about the degradation of this resource for law enforcement. There’s nothing new about…[agencies] accessing metadata.
Will It Ever Be Repealed?
So how long will you have to live with a data retention scheme? Is there any chance of the Government changing its mind?
Well, it's unlikely to be reversed if it actually gets passed through the House and the Senate, but the Parliamentary Joint Committee on Intelligence and Security — the one that originally examined the usefulness of a metadata retention program — will re-examine the program after three years.
Depending on when the program is introduced (keeping in mind there is the provision for an 18-month implementation lead time), the players on that panel, as well as the government itself, could be very different. That's very much a wait-and-see at this point, but it's unlikely to be repealed if it passes given that law enforcement agencies have been pushing so hard for it over the last two governments.