Mass surveillance and data retention: do the means justify the ends?

On  August 2017, the Attorney-General’s Department released the Telecommunications (Interception and Access) Act 1979 – Annual Report for the year ending 30 June 2016 (the ‘Report’). This was the first opportunity to see how mandatory data retention laws passed in 2015 have been implemented. The report provides insight into how criminal law enforcement agencies have accessed telecommunications data (known as metadata) stored for the purposes of complying with the mandatory data retention regime.

The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 amended the Telecommunications (Interception and Access) Act 1979, requiring all telecommunications and internet service providers to store a mandatory set of telecommunications data for a period of two years for all users of their services.

At the time, concerns were raised about costs, privacy and the lack of judicial oversight of the warrantless access scheme. Two years on, what have we learnt about the way in which laws have been implemented? Were the early concerns justified?

The Report states that the majority of criminal law offences for which data was requested were illicit drug offences (57,166 requests) and homicide related offences (25,245 requests). In contrast, 4,454 requests were made in relation to terrorism investigations. The industry cost of implementing data retention obligations was reported to be $198,527,354 to 30 June 2016. And in April this year the Australian Federal Police announced they had ‘self-reported’ to the Commonwealth Ombudsman that they  breached the Act by failing to obtain a warrant to access journalist metadata for the purpose of identifying a journalist’s source.

The Data Retention Scheme explained

The Data Retention Scheme:

• requires telecommunications service providers to retain and to secure for two years, telecommunications data, as distinct from the content of the telecommunication;
• requires service providers to protect retained data through encryption and by preventing unauthorised interference and access;
• limits the range of agencies that are able to access such data; and is a
• warrantless regime except in relation to journalists in limited circumstances.

The dataset

Service providers such as Telstra, Optus, and other internet service providers (‘ISPs’) and carriage service providers (‘CSPs’) are required to store the following data and make it available on request to a list of criminal law enforcement agencies provided for in the legislation:

• the subscriber of accounts, services, telecommunications devices and other relevant services relating to, the relevant service;
• the source and destination of a communication – the phone number receiving an SMS or call, the recipient email address and IP address;
• the date, time and duration of a communication, such as when a user logged on or off a service or made a call;
• email – each authenticated connection identifier of the subscriber (username/IP address), date and time sessions start and end, to whom an email was sent and who received it, date/time this happened, who was CC’d and BCC’d and any emails not received (but not the content or subject line); and
• for Wi-Fi providers – the occasions when a device authenticates or joins the network, physical locations, and the MAC address (a unique number that identifies a device such as a mobile phone, ipad or laptop).
• Potential scope creep – access to data by civil litigants

Following concerns raised by privacy and legal experts in 2014/15, a prohibition was put in place to prevent civil litigants from accessing the kinds of data described above. Section 280(1B) was inserted into the Telecommunications Act 1997 to prohibit telecommunications providers from disclosing data retained solely for the purpose of complying with their data retention obligations, if it is sought in relation to subpoenas, notices of disclosure and court orders in connection with civil proceedings. But in December 2016, the Attorney-General’s Department announced a consultation into whether there should be changes to this prohibition against disclosure in civil litigation.

A concern of many who made submissions to the consultation was whether parties in domestic violence or family law proceedings may be able to obtain access to this rich dataset which contains sensitive, confidential information. While telecommunications data can already be accessed by subpoena, these documents are rarely sought. The dataset stored under the data retention regime is comprehensive and if it became accessible under subpoena for a legitimate forensic purpose, the telecommunications data (or metadata) of litigants may become widely used. Allowing access to data stored under the Data Retention Scheme may also greatly increase the costs on ISPs and telcos having to comply with those subpoena requests.

After receiving 260 submissions to the consultation, the Attorney-General announced on 13 April 2017 that there would be no changes to the legislation.

What does the European Court of Justice say?

Broad State-based surveillance of all members of a population has increased around the world thanks to developments in technology which enable the cost effective storage and processing of large data-sets. This trend toward mass, indiscriminate surveillance, has however been met with increasing opposition.

In December 2016, the European Court of Justice said that to be consistent with privacy rights, any law concerning the retention of metadata must limit the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted (Tele2 Sverige AB v Post-och telestyrelsen; Secretary of State for the Home Department v Watson and others (C-203/15 and C-698/15), EU:C:2016:970, at [108]) (‘Tele2 decision’). By comparison, Australia’s data retention scheme could be considered general and indiscriminate as it collects all citizens’ metadata.

After the Tele 2 decision, the Irish Government commissioned the former Chief Justice of Ireland, John Murray, to review its current data retention legislation. The report was released on 4 October 2017. It found that the current Irish data retention regime breached European law and amounted to mass surveillance of the entire population of the Irish State. The scheme in Ireland, much like in Australia, enables the police and other state authorities to access metadata with a disclosure request and with no judicial oversight. The report said the current statutory framework was indiscriminate in application and scope, and conducted without the consent of those affected. A draft bill accompanying the report proposed that the data retention scheme be modified to require greater judicial oversight with a High Court Judge having to approve access to journalists’ metadata.

Facial recognition databases

It was agreed at the Council of Australian Governments meeting on 5 October 2017 that there will be a national facial recognition database, which will allow access by private third parties. There are real concerns about how the Government will secure this data, given the multitude of people that may have access to it and the privacy implications of this database being accessible in real-time to both criminal law enforcement agencies and private third parties such as shopping centres.

Client legal privilege in the age of data retention

Client legal privilege protects the communications which clients have with their lawyers and it is a privilege that has been honoured since Elizabethan times. In the Australian Law Reform Commission’s report Traditional Rights and Freedoms – Encroachments by Commonwealth Laws (ALRC Report 129), tabled on 2 March 2016, the ALRC identified the mandatory data retention legislation as a law that abrogates client legal privilege and which may create a chilling effect on communications between a lawyer and their client. It said that client legal privilege interacts with other rights and privileges at common law, and noted the comments of Murphy J in Baker v Campbell:

‘The client’s legal privilege is essential for the orderly and dignified conduct of individual affairs in a social atmosphere which is being poisoned by official and unofficial eavesdropping and other invasions of privacy’ (Baker v Campbell (1983) 153 CLR 52, 85, 116–117).

When the Parliamentary Joint Committee on Intelligence and Security sought submissions in relation to the proposed data retention laws in 2014, the Law Council of Australia expressed concerns that while telecommunications data may not reveal the content of the communications, it would reveal who a lawyer has contacted; the identity and location of the lawyer; and the identity and location of witnesses. This may reveal a litigation or defence strategy. Measures that can be taken to protect lawyer-client communications rely on encryption, but in July 2017, the Federal Government announced it will introduce legislation which will allow Australian law enforcement agencies to access the content of end-to-end encrypted information. Internet companies will be obliged to assist law enforcement agencies with accessing information that those agencies are lawfully entitled to, in accordance with an appropriate warrant or court order, but are not currently able to fully access due to encryption. The legislation will also impose an obligation upon device manufacturers and service providers to assist intelligence and law enforcement agencies with a warrant to access encrypted information. If implemented by the Government, this proposal will further impact on the ability of lawyers to protect their confidential client communications.

In contrast, a 2015 report by the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, delivered to the Human Rights Council on encryption, says states should promote strong encryption and anonymity and national laws should recognise that individuals are free to protect the privacy of their digital communications by using encryption technology and tools that allow anonymity online.

Review of legislation

In 2019, the Parliamentary Joint Committee on Intelligence and Security will conduct a review of the data retention legislation. There will be a more comprehensive history available then as to how the scheme has been implemented and whether it is achieving its stated objectives of preventing serious crimes and protecting national security. This information will assist when considering whether the current regime is a necessary and proportionate response to those threats, or if the delicate balance of protecting rights and freedoms has been compromised.

Michelle Meares is a solicitor at Watts McCray Lawyers and a member of the NSW Law Society Privacy and Communications Committee.