Starting on Tuesday, October 13, Australian telcos such as Telstra and Optus are required to start storing metadata logs pertaining to people’s email, internet, mobile and landline use for up to two years.
While other countries have overturned legislation dealing with data retention because it has been ruled unconstitutional, Canberra continues to push ahead with its scheme despite concerns from civil liberties and internet rights groups.
What does it mean to the average law-abiding citizen?
Who you called, who called you, both parties’ location and the duration of the calls will be stored for two years, and potentially accessed without a warrant, meaning there is no judicial oversight by a magistrate.
It also applies to email but not to which websites you access. Only the IP address allocated to your modem by your internet provider will be stored so that law enforcement can figure out suspects’ involvement in cyber attacks, child exploitation, terrorism activity and other crimes.
There were 563,012 disclosures in the 2013-14 financial year relating to more than 330,000 authorisations by government agencies. Whether your records were accessed is a secret, even if it was discovered you hadn’t committed a crime.
Can data retention be circumvented?
Yes. With the use of what’s called a virtual private network, or VPN, people are able to prevent their internet metadata being stored by their internet service provider (ISP).
A VPN encrypts all internet traffic between a user and the server that is providing them with internet access.
VPNs vary in their cost but can be bought for less than $5 a month. The Tor Browser, which provides anonymity via a different way, is free but can be very slow, since it relies on an encrypted communications network run by volunteers interested in privacy.
Camouflaging phone access is harder, requiring the use of a service overseas that isn’t subject to data retention legislation. The use of a voice-over IP (VoIP) provider like Skype in combination with a VPN is possible, although law enforcement agencies can still access the data stored on Skype’s servers with a warrant and assistance from US police, which is why some people sign up as “Mickey Mouse” and use gift cards bought with cash at newsagents to not tie their identity to the account.
Some have argued storing every citizens’ metadata will probably result in more innocent people having all their data stored rather than hardcore criminals, who are known to use VPNs.
What has this got to do with piracy?
The government is not after those who illicitly downloaded movies and TV shows, according to former communications minister and now Prime Minister Malcolm Turnbull.
But requiring internet providers to store IP address will mean copyright holders will be able to use the courts to try to obtain access to this data. They could then use this to sue individuals for copyright infringement.
Will there be an ‘internet tax’?
Storing large volumes of customer metadata for two years will require data warehouses, which some telcos, like iiNet, have estimated would cost $60 million to set up.
These estimations were based on also storing URLs customers accessed, which will not be required. The cost is likely to be less, but by how much is unknown.
The government has committed to paying $131 million in set-up costs with taxpayers’ money. Other costs – such as power for data centres – if required, may have to be passed on to consumers.
Either way, costs will end up coming from Australian taxpayers directly or indirectly. Some have labelled this a surveillance tax.
Telcos say they are yet to see any of the money the government has committed, and some lawyers say smaller ISPs could be put out of business because of the new laws.
Where will the data be stored and will it be secured properly?
Questions remain over what obligations will be placed on telcos to secure data properly.
There is no data breach notification scheme in Australia, so if data is hacked, your internet or phone company does not have to tell you about it.
Fines of up to $1.1 million can apply but that’s only if the federal Privacy Commissioner investigates a breach.
New legislation that will deal with the storage of the data is due to be introduced before the end of the year.
When will the legislation become effective?
From Tuesday, October 13. But even then telcos can delay the start date by using what’s known as a data retention implementation plan, or DRIP.
A DRIP allows a service provider to delay implementing data retention for up to 18 months if the Attorney-General’s Department approves the delay.
Are there any good safeguards introduced by the bill?
Yes. Previously, local councils, the RSPCA, Australia Post and other agencies not typically considered law enforcement authorities could access your metadata. They will no longer be able to access it without approval from the Attorney-General. The Attorney-General will be required to consider a range of criteria before granting approval, including whether the agency seeking access to the data is subject to a binding privacy scheme.
From October 13, the Commonwealth Ombudsman will also have oversight of metadata access but this is only after metadata requests are made.
Does data retention work?
When Germany introduced mandatory data retention there was a 0.006 percent increase in crime clearance rates.
Germany and other countries later ruled data retention unconstitutional, but the Australian government says it has taken into account suggestions made by courts overseas that have overturned the legislation.
There have also been questionable alleged uses of metadata in Australia, including by Queensland Police, who reportedly used it to see whether cadets were faking sick days or sleeping with one another (against police rules).