The future of
privacy in Australia after the data retention act
Now that the data
retention legislation has been passed into law, it is worth
reflecting on what potential developments may result once it is
active. The inadequacies of the bill have been discussed widely but a
number of things stand out which may have a bearing on future
developments.
The fact that the
present law will not capture OTT traffic such as Gmail and Facebook
significantly impacts on the efficacy of data retention. Senator
Brandis believes that collecting data on some individuals (innocent
citizens and dumb criminals in the most part) is better than none but
when it becomes clear that this is not catching the
terrorists/criminals, expect some significant tightening in this
area.
Evidence based law
has not been a strong point in the data retention debate so far and
that is unlikely to change. The fact that mandatory data retention
hasn't been proved effective is unlikely to stop its extension. It
will only take another event involving serious political violence in
Australia for the call to go out to widen the scope of data
retention.
The UK exemplar may
yet become the template for Australia. The Communications Data Bill
(otherwise known as the Snoopers' Charter), first introduced in 2012,
mandates retaining the browsing history of all UK residents. To date
the UK parliament has not been convinced, however if a Conservative
majority government is returned in the general election in May 2015,
this legislation is slated to proceed unimpeded by the constraints of
coalition with the Liberal Democrats who currently oppose the bill.
It is also
interested to observe that both the ALP and UK Labour Party mooted
data retention legislation when in office but got cold feet as
elections approached. It would seem clear that in both countries only
the minor parties (with some noble exceptions in the UK case) have
the required technical competence and commitment to placing a high
value on the privacy of the citizen.
So where do we go
from here? I expect that citizens who value privacy online will take
steps (either deliberately or incidentally) to minimize their
exposure to data retention by using communications media which use
OTT services. Privacy and surveillance are international in their
reach and users will continue to demand that major providers like
Apple and Google design their systems to be as immune to bulk
surveillance as possible. There may be room in the mass market for
new players. Surveillance by governments is international too (e.g.
NSA and five eyes) and we can expect that the cat will continue to
play with the mouse. The FBI for example is currently demanding that
the US government insist the Apple create a backdoor in their
encrypted iMessage service.
The implementation
phase of the data retention act which translates the broad
definitions (defined in the act) of data to be captured into actual
instructions for ISPs would appear not to be open to public scrutiny
so citizens may not be allowed to know the detail of the data being
captured. The act however does make provision for citizens to request
a report of their retained data although how granular this will be
has yet to be seen. The opaque nature of the relationship between
domestic law enforcement agencies and those charged with national
security further blurs the picture when it comes to privacy.
Those requiring
their communications to be private as part of professional privilege
may need to adopt counter-surveillance methods to retain the privacy
their clients expect and deserve. This will not only apply to
journalists (the fig leaf provisions in the act offer no meaningful
protection to journalists or their sources) but also to the law and
medical professions. This will require a major change of mindset in
these last two sectors which may not come about until sensitive data
records are subject to court subpoena or when a data breach occurs.
The EU’s Court of
Justice (CJEU) 2014 ruling on mandatory data retention gives some
support to those who believe that this form of surveillance does not
pass the proportionality test and should not form the basis of
national legislation. The current UK DRIPA law which re-activates
those aspects of mandatory data retention struck down by the CJEU
ruling is currently being challenged in the UK High Court.
The rapid changes
which come from the introduction of the internet have meant that in
the short term at least, people have become accustomed to accepting
less privacy. Law enforcement agencies need to do their job so
absolute privacy is neither possible nor desirable. However privacy
is a fundamental right, the loss of which will only be noticed once
it's gone. Many believe that mass surveillance will eventually be
seen as both ineffective and morally wrong. The question is how long
will this take and what dangers do we face in the meantime?
Trying to get a
perspective on all of this (and I haven't even mentioned corporate
surveillance) can be hard but there many who seek to explain. One of
the most respected of these is Bruce Schneier who in his recent book
“Data and Goliath” examines privacy and surveillance in
authoritative detail. It's aimed at a general audience and is well
worth reading if you want to know more.
Here is a quote:
“Nevertheless,
the threats of surveillance are real, and we’re not talking about
them enough. Our response to all this creeping surveillance has
largely been passive. We don’t think about the bargains we’re
making, because they haven’t been laid out in front of us.
Technological changes occur, and we accept them for the most part.
It’s hard to blame us; the changes have been happening so fast that
we haven’t really evaluated their effects or weighed their
consequences. This is how we ended up in a surveillance society. The
surveillance society snuck up on us.
It doesn’t have
to be like this, but we have to take charge.”
