‘Shelved’? No. Data retention will be back

analysis Yesterday it was widely reported that the Federal Government had ‘shelved’ its data retention plans, walking away from the controversial proposal to monitor all Australians’ communications. But the reality is the complete opposite: Data retention is still being actively considered as a policy and will shortly return to plague Australia once again.

If you believe most of Australia’s media outlets, yesterday the great multi-headed monster that is data retention was slayed by a cadre of victorious knights. ‘Government shelves controversial data retention scheme’, proclaimed The Age. “Australian Government shelves data retention plans,” wrote ZDNet. “Govt shelves telco data retention scheme,” added iTNews. Yup, there were plenty of footsoldiers waving flags in the air, their feet squarely planted on what they thought was the corpse of this long-reviled comprehensive surveillance project.

The only problem is, when you go back to the source material behind yesterday’s glorious proclamation and put it into context in terms of data retention’s wider history in Australia, it becomes clear that the project as a whole has only suffered a temporary setback in its progression at best, and that at worst, this week’s events have actually played right into its proponents’ hands. Things, if you’re a bureaucrat at the Attorney-General’s Department, are pretty much right on track.

The source of yesterday’s jubilation was two-fold. Firstly, the parliamentary committee which had been examining the data retention proposal as part of a much wider package of surveillance reforms, in a process known as the ‘National Security Inquiry’, had finally — at the last possible moment, in the last sitting week of the current Parliament — delivered a report into the proposed reforms, severely criticising the Attorney-General’s Department for its lack of transparency in developing the data retention policy, and recommending a wide range of transparency and accountability measures, as well as hard limits on its power, on the data retention idea.

This report, and the extreme public reaction to the data retention proposals — which has seen a very wide coalition of interested parties ranging from the conservative thinktanks such as Institute of Public Affairs to left-leaning political groups such as the Greens, telecommunications companies, digital rights advocates, privacy commissioners and even some prominent Liberal politicians such as Malcolm Turnbull raise concerns about the package — led Attorney-General Mark Dreyfus to make the following statement yesterday:

“The Committee did not make a recommendation in relation to whether Australia should pursue a data retention regime, but the Committee did make a number of recommendations in relation to the details of a potential data retention regime. Accordingly, the Government will not pursue a mandatory data retention regime at this time and will await further advice from the departments and relevant agencies and comprehensive consultation.”

It all sounds nice and tied up, right? The parliamentary committee examining the proposed data retention policy came back strongly against it, and the Government listened, abandoning the policy. A win for the democratic process, and for Australians’ privacy rights. It’s pretty clear, right?

Wrong.

For starters, let’s look at what the Joint Parliamentary Committee on Intelligence and Security actually wrote in its report about data retention. It’s true that the committee, including its chair, Labor MP Anthony Byrne, strongly criticised the Attorney-General’s Department for a lack of transparency around its introduction of the data retention package.

However, buried down in the report, the committee also went much further into the issue. It noted: “There is no doubt that the enactment of a mandatory data retention regime would be of significant utility to the national security agencies in the performance of their intelligence, counter-terrorism and law enforcement functions”, and agreed with law enforcement agencies such as the Australian Federal Police and ASIO that much of the data which telcos used to retain is no longer being retained — resulting in “an actual degradation in the investigative capabilities of the national security agencies, which is likely to accelerate in the future”

The committee did also note the privacy challenges inherent in any data retention regime and voiced its opinion that no data retention regime should be enacted in Australia “unless those privacy and civil liberties concerns are sufficiently addressed”. Because of these issues, it ultimately avoided taking a view on the adoption of data retention in Australia, noting that “Ultimately, the choice between these two fundamental public values is a decision for Government to make.”

The problem here is that while on paper the committee threw the data retention policy option back to Government (meaning, primarily, the Attorney-General and the wider Cabinet), in practice the committee actually laid out a concrete roadmap for how the privacy implications it mentioned should be addressed in any future data retention legislation.

The committee noted that any draft data retention proposal should contain a number of key features, such as a pure focus on ‘meta-data’ and not the actual content of emails or telephone calls; the same controls on agency access to the data as already exists today; the explicit exclusion of Internet web browsing data from the scheme; a stipulation that information constituting a mix of metadata and content should be treated as content; mandatory use of encryption in storing the data; a time limit of two years on retaining the data and a cost recovery scheme where the Government should reimburse Internet service providers for their costs of keeping the data under the system.

In addition, the committee noted that a “robust, mandatory” data breach notification scheme should exist, so that Australians could be notified if their privacy had been inadvertently breached a a result of the scheme; that an independent audit function be established, and that the government ombudsman and Inspector-General of Intelligence and Security should have oversight of the system.

Furthermore, the committee also recommended that if a mandatory data retention scheme should proceed, that the committee itself should have an oversight mechanism of the scheme, that an annual report on the scheme should be presented to parliament, and that the committee review the effectiveness of the data retention regime three years after its commencement.

It seems obvious that all the Attorney-General’s Department would have to do to be able to argue that it had addressed privacy concerns inherent in any data retention regime would be to follow these recommendations as laid out by the committee. Far from seeking to block the data retention policy, the committee has laid out a direct road map to make data retention palatable. But the underlying principles of such a scheme would remain in place — universal access by law enforcement agencies to critical metadata about all Australians’ telecommunications.

Law enforcement agencies would still know, if the committee’s recommendations were followed, who every Australian called, when and for how long, who they emailed and when, and countless other details. There would be some increased privacy controls around that access, but the access would still exist. This is truly the iron fist in the velvet glove.

It’s also important to note the reaction of Attorney-General Mark Dreyfus to these recommendations. In his statement yesterday, Dreyfus said:

“The Committee did not make a recommendation in relation to whether Australia should pursue a data retention regime, but the Committee did make a number of recommendations in relation to the details of a potential data retention regime. Accordingly, the Government will not pursue a mandatory data retention regime at this time and will await further advice from the departments and relevant agencies and comprehensive consultation.”

Dreyfus’ first statement notes precisely — precisely! — what I just wrote about the committee’s report. It highlights the fact that the committee did not recommend against data retention per se, but that it made recommendations as to how such a regime could be sanitised for introduction. Dreyfus is clearly aware of just how much of a ‘get out of jail free card’ the committee handed the Government on data retention.

Secondly, Dreyfus makes a somewhat contradictory statement. Firstly, the Attorney-General claims that the Government won’t be pursuing a mandatory data retention regime “at this time”. But then Dreyfus makes it clear that the Government is still actively working in this area and will seek further advice and engage in further consultation with government departments and agencies — presumably the Australian Federal Police, ASIO and others who are heavily pro-data retention.

Because of the contradictory nature of this statement, yesterday I queried Dreyfus’ office about the issue. I asked the following questions: “Does mandatory data retention remain Federal Government policy?” and “Can Mr Dreyfus clarify what actions the Government anticipates taking as a result of the advice he mentions in the above statement, and when does it anticipate taking such actions?”

I think you’ll agree that the response I got back was less than direct.

“The purpose of the inquiry was to engage independently with the public on the merits of undertaking further work on a range of possible reform options,” a spokesperson for the Attorney-General said. “The Government will carefully consider the detailed report, including all 43  recommendations, before making any decisions on potential legislative changes.”

To understand what’s happened here, it’s important to go back to the language used by former Attorney-General Nicola Roxon when Roxon first announced the National Security Inquiry reforms back in May 2012. At the time, Roxon used strikingly similar language to that used by Dreyfus’ spokesperson yesterday.

In a statement at the time, Roxon said that the “potential” reforms would be examined by the Parliamentary Joint Committee on Intelligence and Security through public hearings, noting that this was “the beginning of the process”, and that the Government was seeking “diverse views” before determining which legislative reforms it would pursue.

“We must stay one step ahead of terrorists and organised criminals who threaten our national security,” Roxon said. “At the same time, we need to have the right checks and balances in place to ensure that those who enforce our national security laws do so responsibly. Unlike the Howard Government, the Gillard Government wants to give the public a say in the development of any new laws, which is why I’m asking the Committee to conduct public hearings. National security legislation is important – but also important is the trust and confidence that Australians have in those laws.”

What has happened here is that the Federal Government, and in particular the Attorney-General’s Department, has consciously issued a vague data retention policy to the public through the auspices of the Joint Parliamentary Committee on Intelligence and Security for the purpose of testing the public’s appetite for such a policy.

Bear in mind that nobody — not even the committee members themselves — have actually been allowed to see the actual text of any data retention legislation, and debate exists to the extent to which that legislation already exists. What the department essentially issued to the committee and the public was a vague ‘concept’ about data retention.

Through the process of the public committee hearings, what the Attorney-General’s Department now has is a roadmap to develop transparency and accountability controls around its data retention policy as a whole. As Dreyfus said, the policy and the committee’s report will now be examined internally in the Government, including by key law enforcement agencies.

What will doubtless emerge from this process is a new data retention policy and associated legislation, with exactly the same fundamental underpinnings as the old — universal storage of metadata pertaining to all Australian communications — but with the transparency and accountability measures recommended by the committee tacked on to provide some veneer of legitimacy for the policy. The Government will also be able to claim that it has extensively consulted the public on the policy — despite the fact that the public was never actually able to comment on the legislation involved.

Let’s be under no illusions here: This is not a win for Australians concerned about this process. This is a loss. When it comes to data retention, the fundamental underpinnings of such a policy are so draconian — total monitoring of Australian communications — that there really is no way that any transparency and accountability measures could make a significant difference in terms of moderating such a policy. It’s like putting transparency and accountability measures around keeping the children of asylum seekers behind razor wire in detention centres. There just is no way to make such a policy humane.

We also need to keep in mind that the likely defeat of the current Labor Government at the upcoming September Federal Election will not be likely to change the progression of the data retention policy at all. As Greens Communications Spokesperson Scott Ludlam pointed out in the Senate yesterday, this data retention policy is not dependent on an individual Attorney-General’s support. Ludlam said:

“This data retention proposal has been pursued by the Attorney-General’s Department through successive ministers. It bobs up every couple of years, and I know this will not be the last time it does … I predict that if there is a new Attorney-General post-election, or even if there is not, this proposal will come back; I have absolutely no doubt about that whatsoever. It will be exhumed in a different form, with a few of the committee’s recommendations attached, and it will be back. And it is a proposal I suspect will have to be fought and contested, potentially, again and again.”

There is every indication that the bulk of the Coalition, including Shadow Attorney-General George Brandis, has long-had bi-partisan support for data retention as a policy. I don’t think anybody should be surprised to see this policy pop up again in 2014 or 2015, as the Attorney-General’s Department, the AFP and ASIO put it forward to the Coalition Attorney-General of the day, as they put it through three successive Attorneys-General (Robert McClelland, Nicola Roxon and Mark Dreyfus) under Labor.

Yesterday Australia’s civil liberties and privacy advocates were cheering the death of data retention. But what many fail to recognise is that events have played out in precisely the way that many of the top bureaucrats within the Attorney-General’s Department, who have been through countless such struggles over the past decade, would have predicted, and that it is not what the politicians say or do in this situation that matters, because for the purposes of this debate, the politicians involved are replaceable, and in fact, often are swapped in and out.

In several months, it is very likely that Mark Dreyfus will no longer be Australia’s Attorney-General. But I can say with 100 percent certainty that there will be almost zero staff turnover amongst the top brass at the Attorney-General’s Department, the Australian Federal Police and ASIO as a result of that changeover. And these are the players who are fighting this battle — players who will be patient enough to take the data retention policy under water again for a couple of years, only to bring it back later in a slightly more palatable guise, aided — not diminished — by the recommendations this week of the Joint Parliamentary Committee into Intelligence and Security.

Let’s check back in 2014 and see just what “shelved” means in the context of the debate about this controversial data retention policy. I suspect we’ll find that out of sight, for this particular universal surveillance project, doesn’t mean out of mind.

Image credit: Terminator 3: Rise of the Machines