A very polite war is going on in Canberra right now over the future of privacy on the internet in Australia. Senators are grilling department heads on whether or not the proposed data retention scheme will work in Australia. It's a war of words, where every answer matters. Today's question? Can the proposed scheme be easily dodged by Aussies? Maybe.
Yesterday, representatives from the Attorney-General's department sat down with Senators in Parliament House to chew the fat over the proposed data retention scheme, that would (if enacted) see telcos and ISPs retain your metadata for a fixed period of time to be potentially accessed by law enforcement to help catch baddies. At least, that's the pitch from the AG's department. Those on the opposite side of the House say it's ripe for abuse, and fundamentally undermines the principles of privacy online. Hence the need for hearings like the one posted above.
There are a few important questions that need to be answered when it comes to the government's proposed data retention scheme: how much will it cost, who can access the data, and can it be easily circumvented?
On the question of circumvention, the Greens and the Attorney General's staffers went head-to-head yesterday, arguing over whether or not data retention could be easily bypassed, and the answer really depends on who you ask.
Greens' Senator Scott Ludlam quizzed the AG's department yesterday on how easy it would be to skip out on having your metadata retained if you connected to a public network. Below is a brief exchange between the pair:
Senator Scott Ludlam: Are you aware of the wide variety of way in which people could accidentally circumvent data retention by, for example, using a university network or logging onto the Parliament House Wi-Fi? I'm presuming you would agree those systems would be out of scope of data retention?
Anna Harmer, Attorney General's Department: We're aware there are a number of ways in which people can conduct their communications and that they have a number of channels through which to do so.
Senator Scott Ludlam: So if somebody logs onto the Wi-Fi in Parliament House, in this building, would the metadata be retained by anyone in particular, or would that be out of scope of the National Data Retention Regime?
Anna Harmer, Attorney General's Department: Two specific exemption in the Bill may be relevant...there are particular exemptions for service that are provided in a same place, and ones provided to an immediate circle. The immediate circle ones wouldn't be applicable here. The immediate circle ones apply to entities such as universities...or corporate networks where a company provides its services to its employees but it might be across multiple sites. It's not broadly available to the public.
So there's also an exemption for same area or same place, which ensures that there is not an obligation placed in respect of services provided at a specific location, and the effect of that...would be that the Wi-Fi you might access through a chain coffee store or something like that, a data retention obligation would not fall on the person offering that service.
That's not to say that there wouldn't be data collected because there are telecommunications services who are providing data, but the individual coffee shop provider does not need to disaggregate the data in respect of his or her individual customers, but there is still data collected in relation to the use of that telecommunication service. Ultimately, the coffee shop owner is a customer of the telecommunications provider.
Senator Scott Ludlam: So what about Parliament House or a public library?
Anna Harmer, Attorney General's Department: The data retention obligations would apply to a service provider...who is providing a service to a particular customer and in respect of a public library venue, the data retention obligations apply to the carrier or carriage service provider who is providing the end customer service to that library. The library itself does not have to break it down.
Senator Scott Ludlam: Who has to keep track of who's logged on to the free Wi-Fi at a public library? Anybody or nobody?
Anna Harmer, Attorney General's Department: In relation to the individual usage of [the Wi-Fi], the library does not have to keep individual logons.
Senator Scott Ludlam: But then neither does the service provider they purchase the service from?
The service provider needs to keep the elements of the data set in respect of their provision of the service: the information about that subscriber — being the library — and the period over which that is used and the information about the individual communications that are carried.
Senator Scott Ludlam: What that tells to me is that if you want to avoid the national data retention scheme you're seeking to impose, you use the internet at a library or come to Parliament House or go to a free council hotspot or go to public transport?
Anna Harmer, Attorney General's Department: I don't think it tells you that, but it does tell you that aggregation occurs at a high-level and as I said...I'd be reluctant to comment on the techniques security agencies use to support their investigations.
They would be caught, the question is by whom. [The scheme] does not impose a new obligation on all persons who provide access to their free Wi-Fi to their customers to now log their individual customers and be accountable and respond to data authorisations.
Senator Scott Ludlam: So that tells me it wouldn't be caught if it's a university Wi-Fi on campus, for example: that means nobody is responsible for monitoring and aggregating and providing later all that traffic.
Anna Harmer, Attorney General's Department: The service provider still has an obligation in relation to their provision of the service to the university.
Senator Scott Ludlam: So they're going to be running a mail server or a router for free Wi-Fi, the only thing going back to Telstra or NBN Co in this instance is bulk traffic farmed out, not who it went to or what traffic it was for.
Anna Harmer, Attorney General's Department: I'm nodding because I'm not sure how much I can add without getting into some tricky territory and I'm reluctant to speak on behalf of agencies but it is correct to say that there is no obligation in respect to the hypothetical university or coffee shop...that maybe providing its Wi-Fi service to its customers...there is no obligation placed on those entities to record the individual use of that service by the individual people who come into that network. There remains a case where carriage service providers can retain data in relation to the provision of service to those institutions.
The question is I suppose is there a level of aggregation? While I think there are some limitations associated with that...it is nevertheless the fact that there is data that's available, the question is the additional steps that a law enforcement agency will need to take to make that data useful and intelligible to them.
The crux of the Senator's questioning yesterday comes down to who is classed as a commercial service provider under the proposed data retention scheme. Would public Wi-Fi providers such as universities, libraries and even Parliament House in Canberra be forced to retain data on the people who connected to the network, or would the telco providing the service to that location retain a limited number of records on those who used the hotspot?
Again, the effectiveness of data retention seems to come down to who you ask. The Government and its spooks will tell you it's a necessary tool, whereas privacy advocates and tech experts would argue it's expensive, easily evaded and needless. The bottom line, however, is that there are still questions over its effectiveness, which means that it can't be rushed.