What data retention is, and why it’s bad
Tuesday, July 29, 2014/
With the Australian government “actively considering” data retention, and Australian Security Intelligence Organisation chief David Irvine telling a Senate committee that it is crucial to intelligence-gathering and that Australians have nothing to fear from it, it’s time for a clarifier on exactly what data retention is and the concerns it raises.
What is data retention?
The compulsory retention of information about a citizen’s telecommunications and online usage, either by telcos and internet service providers themselves, or by a government agency, so that law enforcement and intelligence agencies can use it to investigate crime and national security threats.
What sort of data?
Depends. The European Union scheme (now ruled illegal) was limited to telecommunications metadata — whom you called and when, duration of call, location, and the account linked to a particular IP address. The previous Australian government cited the EU model as what it had in mind when it invited a parliamentary inquiry into the idea in 2012. However, some individual countries (like Denmark) went further than the Eu directive and included web browsing history. Most Australian agencies officially only want metadata, not content data (like browsing history and email contents), but some agencies and police forces want the lot. Some things, like email subject lines, could arguably be either metadata or content data. The definition of what data will be subject to a data retention regime is thus crucial.
What would it cost?
In evidence to the Joint Committee on Intelligence and Security that considered the issue in 2012, iiNet said it might cost them $5 a month for every customer to store data. That, in effect, is a $60 a year surveillance tax on every household. iiNet has recently significantly increased its estimate of the likely cost. Remember, both companies and government agencies will not merely need to store this data, but ensure it is stored safely — the vast trove of personal data that data retention will produce will be immensely attractive to criminals (and online activists looking to demonstrate how unsafe it is — in 2012, Anonymous hackers released customer data obtained from AAPT to protest the then-government’s data retention proposal).
What happens currently?
Traditionally, telcos have retained phone records because that was how they billed you. But there is decreasing need for specific call-based billing as consumers move to data-based plans. Moreover, companies have no need for metadata beyond the billing cycle, and given there’s a cost to storing such data, they are keeping less of it for the sort of periods agencies prefer — usually two years. Law enforcement and intelligence agencies call this “going dark” — losing access to phone information of the kind they’ve had for decades.
So what’s the problem – isn’t this just maintaining the status quo?
No. Let’s just focus on phone data. Your mobile phone data includes your location as your phone interacts with nearby phone towers, so in effect it can be used as a tracking device. But more importantly, forget that “it’s just metadata” (or “just billing data” as the Prime Minister said). A single phone call time and duration won’t tell anyone much about you. But in aggregate, metadata will reveal far more about you than content data.
With automated data-sifting software, agencies can accumulate a record of everyone you have called, everyone they have called, how long you spoke for, the order of the calls, and where you were when you made the call, to build a profile that says far more about you than any solitary overheard phone call or email. It can reveal not just straightforward details such as your friends and acquaintances, but also if you have medical issues, your financial interests, what you’re buying, if you’re having an affair or ended a relationship. Combined with other publicly available information, having a full set of metadata on an individual will tell you far more than much of their content data ever will.
And if you don’t believe us, ask the people who know: the General Counsel for the United States National Security Agency has publicly stated, “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content”. According to the former head of the NSA, Michael Hayden, the US government kills people based on metadata it has accumulated on them. As Edward Snowden says: “You can’t trust what you’re hearing, but you can trust the metadata.”
OK, but we’ve already given away our privacy to Facebook etc, haven’t we? Why shouldn’t agencies that want to protect us get the same data?
This is an argument routinely used by data retention advocates, and by Irvine himself. But going on Facebook isn’t compulsory. Citizens choose to use social media or other online platforms and voluntarily engage in the swap of privacy for services that so many applications are built on. Maybe they don’t understand the full nature of what they’re losing in that transaction, but it’s still voluntary. There is nothing voluntary about data retention — not unless you want to withdraw from the 21st century and not use telecommunications and online services.
But agencies say they need it to help prevent and solve crimes.
Let’s look at what happened in Europe. A German parliament study concluded data retention in Germany had led to an increase in the crime clearance rate of 0.006%. (The German scheme was later ruled unconstitutional.) Danish police, who have a much wider metadata and content data retention scheme, said the sheer amount of information was too unwieldy to use.
But such-and-such a high-profile crime was solved with metadata.
Maybe. But that metadata was available without a data retention regime. As the German study demonstrates, the number of crimes solved because of old metadata that would not otherwise have been available is negligible. And anyway, in western societies, we have long accepted that there is a trade-off between the rights of the individual, including a right to privacy, and the state’s power to protect its citizens. We understand that our civil liberties make it harder for the state to prevent, detect and punish crime, but value them enough to keep them anyway. Data retention alters this balance in favour of the state.
But we can trust our agencies to do the right thing.
Australia’s agencies generally have a better record of behaviour than foreign agencies. For example, repeated abuses such as stalking women, sharing intimate photos and listening in to intimate conversations, have been revealed to have occurred in the NSA; the CIA recently spied on the Senate Intelligence Committee while it was preparing a report exposing the agency’s use of torture; MI6 abducted and rendered Libyan dissidents to the Gaddafi regime for torture in exchange for help in the War on Terror.
However, ASIO, the Australian Federal Police and the Australian Secret Intelligence Service are by no means perfect and serious questions remain, for example, about both ASIS’s bugging of the East Timorese cabinet in 2004 and ASIO’s efforts to intimidate and gag the whistleblower who revealed it late in 2013. We also know from Edward Snowden that Australians intelligence agencies use electronic surveillance not for protecting us from terrorists, but for economic espionage.
The problem is that, unlike normal government bureaucracies, intelligence agencies have minimal public oversight or accountability, and can use national security as a justification to resist media scrutiny. The lack of oversight means incompetence, corruption, mission creep and criminal activity are far less likely to come to light than in normal government agencies. Public transparency is one of the key motivations for public servants to behave appropriately, and it doesn’t exist for agencies engaged in surveillance. And the more personal data they have access to, the greater the temptation.
But if you’re not doing anything wrong, you have nothing to hide.
Wear clothes in warm weather and have blinds in your windows? What are you hiding?
Are you happy for everyone to know where you are all the time, who your friends are, whom you’re having a relationship with, everyone you call, whether you have a medical or financial problem? It is not up to privacy advocates to “prove” the right to or importance of privacy. All governments acknowledge it is a fundamental right. If you support breaching that right, it is up to you to make the case, not demand privacy advocates defend it.
And law enforcement and intelligence agencies don’t merely target people “with something to hide.” People as diverse as whistleblowers, journalists, politicians, non-government groups and activists are subject to surveillance by such agencies, despite not having “done anything” other than reveal wrongdoing by governments and companies and protest against it. Data retention thus indirectly threatens core processes of democracy like whistleblowing, political organisation and scrutiny of governments. And once information is collected, agencies will press for its permanent retention. Some already argue that information should be retained forever. That means all future governments will have access to it. You may be comfortable with the current government having access to your data – but what about all future governments?
And law enforcement and intelligence agencies aren’t the only groups who have access to metadata. In Australia, bodies as diverse as local councils, the RSPCA and health bodies can obtain telephone metadata on citizens without a warrant.
But this is about stopping terrorism – the ends justify the means.
Terrorism is a wildly overhyped threat in western countries. About three times more Australians have died falling out of bed since 2001 than have died at the hands of terrorists; more Australians die from diseases like shingles and chickenpox than from terrorism. More women and children die at the hands of the partners and parents in Australia every year than the total number of Australian victims of terrorism. More Americans die from causes like malnutrition, falls, swimming accidents and work accidents each year than the entire death toll from 9/11. The level of spending we direct toward national security is completely unjustified in terms of the harms it prevents.
As a threat to the health and lives of western citizens, terrorism is negligible compared to deaths caused by poor infrastructure, bad health policies, unsafe workplaces or poverty. Data retention would be yet another expensive, intrusive national security policy that has no objective justification. Doing things in the name of stopping terrorism relies on our emotional fear of attacks, rather than making the case for taking away our rights.
Follow StartupSmart on Facebook, Twitter, and LinkedIn. This story first appeared on Crikey.com.au.
From the frontlines
Five critical questions: Are you listing your startup too soon? Lisa Schutz Verifier founder
Sex appeal, runways and mature markets: Everything Guy Pearson learnt during his $26 million Series B raise Guy Pearson Practice Ignition CEO
Barriers from the outset: Why the government’s Boosting Female Founders Initiative is unlikely to succeed Laura Keily Immediation founder