The future of privacy in Australia after the data retention act

The future of privacy in Australia after the data retention act

Now that the data retention legislation has been passed into law, it is worth reflecting on what potential developments may result once it is active. The inadequacies of the bill have been discussed widely but a number of things stand out which may have a bearing on future developments.

The fact that the present law will not capture OTT traffic such as Gmail and Facebook significantly impacts on the efficacy of data retention. Senator Brandis believes that collecting data on some individuals (innocent citizens and dumb criminals in the most part) is better than none but when it becomes clear that this is not catching the terrorists/criminals, expect some significant tightening in this area.

Evidence based law has not been a strong point in the data retention debate so far and that is unlikely to change. The fact that mandatory data retention hasn't been proved effective is unlikely to stop its extension. It will only take another event involving serious political violence in Australia for the call to go out to widen the scope of data retention.

The UK exemplar may yet become the template for Australia. The Communications Data Bill (otherwise known as the Snoopers' Charter), first introduced in 2012, mandates retaining the browsing history of all UK residents. To date the UK parliament has not been convinced, however if a Conservative majority government is returned in the general election in May 2015, this legislation is slated to proceed unimpeded by the constraints of coalition with the Liberal Democrats who currently oppose the bill.

It is also interested to observe that both the ALP and UK Labour Party mooted data retention legislation when in office but got cold feet as elections approached. It would seem clear that in both countries only the minor parties (with some noble exceptions in the UK case) have the required technical competence and commitment to placing a high value on the privacy of the citizen.

So where do we go from here? I expect that citizens who value privacy online will take steps (either deliberately or incidentally) to minimize their exposure to data retention by using communications media which use OTT services. Privacy and surveillance are international in their reach and users will continue to demand that major providers like Apple and Google design their systems to be as immune to bulk surveillance as possible. There may be room in the mass market for new players. Surveillance by governments is international too (e.g. NSA and five eyes) and we can expect that the cat will continue to play with the mouse. The FBI for example is currently demanding that the US government insist the Apple create a backdoor in their encrypted iMessage service.

The implementation phase of the data retention act which translates the broad definitions (defined in the act) of data to be captured into actual instructions for ISPs would appear not to be open to public scrutiny so citizens may not be allowed to know the detail of the data being captured. The act however does make provision for citizens to request a report of their retained data although how granular this will be has yet to be seen. The opaque nature of the relationship between domestic law enforcement agencies and those charged with national security further blurs the picture when it comes to privacy.

Those requiring their communications to be private as part of professional privilege may need to adopt counter-surveillance methods to retain the privacy their clients expect and deserve. This will not only apply to journalists (the fig leaf provisions in the act offer no meaningful protection to journalists or their sources) but also to the law and medical professions. This will require a major change of mindset in these last two sectors which may not come about until sensitive data records are subject to court subpoena or when a data breach occurs.

The EU’s Court of Justice (CJEU) 2014 ruling on mandatory data retention gives some support to those who believe that this form of surveillance does not pass the proportionality test and should not form the basis of national legislation. The current UK DRIPA law which re-activates those aspects of mandatory data retention struck down by the CJEU ruling is currently being challenged in the UK High Court.

The rapid changes which come from the introduction of the internet have meant that in the short term at least, people have become accustomed to accepting less privacy. Law enforcement agencies need to do their job so absolute privacy is neither possible nor desirable. However privacy is a fundamental right, the loss of which will only be noticed once it's gone. Many believe that mass surveillance will eventually be seen as both ineffective and morally wrong. The question is how long will this take and what dangers do we face in the meantime?

Trying to get a perspective on all of this (and I haven't even mentioned corporate surveillance) can be hard but there many who seek to explain. One of the most respected of these is Bruce Schneier who in his recent book “Data and Goliath” examines privacy and surveillance in authoritative detail. It's aimed at a general audience and is well worth reading if you want to know more.

Here is a quote:

“Nevertheless, the threats of surveillance are real, and we’re not talking about them enough. Our response to all this creeping surveillance has largely been passive. We don’t think about the bargains we’re making, because they haven’t been laid out in front of us. Technological changes occur, and we accept them for the most part. It’s hard to blame us; the changes have been happening so fast that we haven’t really evaluated their effects or weighed their consequences. This is how we ended up in a surveillance society. The surveillance society snuck up on us.

It doesn’t have to be like this, but we have to take charge.”