news One of Australia’s largest telcos, iiNet, has sent the Australian Senate committee examining reform of national telecommunications interception legislation an extremely strongly worded statement warning of the dangers of extending or even maintaining current data retention and website blocking practices.
Following a number of major revelations surrounding Australia’s electronic surveillance activities, especially associated with documents released by former NSA contractor and current whistleblower Edward Snowden, the Greens successfully teamed up with Labor in December to establish a formal inquiry into Internet surveillance practices by government agencies in Australia, through a review that will take place into the controversial Telecommunications (Interception and Access) Act.
The Greens have taken a strong stance against the need for unfettered surveillance of Australians by law enforcement agencies, with Communications Spokesperson Scott Ludlam stating that review of the TIA Act was “well overdue” due to its outdated nature.
The Greens appear to have taken the view that an inquiry into the potential future reform of the Act would lead to it being modernised and Australians receiving higher levels of privacy in terms of their usage of telecommunications services. However, if submissions to the inquiry so far are any indication, the inquiry itself may act as a Pandora’s Box for the issue of surveillance in Australia. Already, several different government departments and law enforcement agencies have used the forum to call for massively increased surveillance powers for Australian government agencies, although others have also used the forum to call for increased privacy rights for individuals.
In its own submission to the inquiry (available online in PDF format), iiNet strongly expressed its concerns about the data retention and website blocking plans which either already exist or which various law enforcement agencies are proposing be extended. Data retention refers to rules forcing ISPs such as iiNet to store data about their customers’ Internet usage, even including website browsing history, for a certain period (usually two years).
“iiNet is concerned that a number of law enforcement agencies, such as the NT, Victorian and WA Police, have in the course of this Review again submitted that the government should introduce a mandatory data retention regime,” the telco wrote. Such a proposal was shelved in mid-2013 following a similar review.
“These proposals extend to data not currently collected by all service providers,” the telco continued. “For example, iiNet does not retain browsing history. Even if we did retain this data, the Australian Privacy Principles highlight that best practice is to not retain personal information for any longer than we need the data.”
iiNet said it agreed with observations made by industry representative group the Communications Alliance in its own submission that a data retention scheme would involve an increased risk to the privacy of Australians and provide an incentive to hackers and criminals; and that data retention is at odds with the prevailing policy to maximise and protect privacy and minimise the data held by organisations. Industry believes it is generally preferable for consumers that telecommunications service providers retain the least amount of data necessary to provision, maintain and bill for services.
iiNet pointed out that the number of Internet-connected devices in Australia was continually increasing — with over 30 million mobile services alone.
“It is an impractical idea to store such data and it is even more impractical to suggest that a law enforcement agency, can simply call up a service provider and say “Give me all Joe Blow’s URLs for 15 June 2012”,” the ISP said.
”Customer information, retained in line with mandatory data retention requirements, would also need to be carefully encrypted and securely stored. Unfortunately, security breaches can and will occur. As iiNet highlighted in our oral statement to the PJCIS, our estimate is that complying with such a scheme would require a large data centre storing possibly 20 thousand terabytes of data at a cost of around $60 million. There is no indication that the government would pay these costs, so our customers would have to pick up the costs in the form of a new tax collected by our industry.”
The ISP also echoed concerns previously put by the Pirate Party Australia and the Greens that the storage of so-called ‘metadata’ could be used to “create a profile of a person’s life including medical conditions, political and religious views and associations”.
“It’s not at all clear that this increased surveillance and fundamental privacy risk, together with the significant cost, is either necessary or proportionate,” it added. “We’ve not seen solid evidence that justifies surveilling minors and citizens on the chance that two years later some evidence might help an investigation.”
“iiNet is uncomfortable with the notion that commercial businesses may be forced into a role as unwilling agents of the state to collect, store and safeguard very large databases for which the companies themselves have no use – a role very different from that which those companies were originally established.”
Section 313 website blocking
iiNet also strongly expressed its concerns regarding the use of so-called Section 313 powers in the telecommunications legislation to block websites.
On May 15 last year, the office of then-Communications Minister Stephen Conroy confirmed ASIC, the financial regulator, had started requiring Australian Internet service providers to block websites suspected of providing fraudulent financial opportunities, in a move which appeared to also open the door for other government agencies to unilaterally block sites they deemed questionable in their own portfolios.
The move was based on the use of Section 313 of the Telecommunications Act, which allows government agencies to ask ISPs for reasonable assistance in upholding the law, a mechanism which is also being used for the Government’s limited Interpol-based filter to block child abuse material, under the auspices of the Australian Federal Police.
However, the law is not usually used to block websites, and there appears to be no public oversight of the process which ASIC is using, no appeals mechanism, and no transparency to the public or interaction with the formal justice system. ASIC’s action came to light after the regulator in April last year blocked several sites suspected of providing fraudulent investment information, but also resulted in the inadvertent blockage of some 1,200 other innocent sites. It has since emerged that ASIC has blocked “numerous” sites over the past nine months, and has also inadvertently blocked some 250,000 innocent sites accidentally. Other government agencies have also covertly used the power. It is not clear what the new Coalition Government’s view of the issue is.
In its submission, iiNet expressed its concern with law enforcement agencies’ use of section 313 of the Telco Act to force ISPs to block websites.
“The controversial use by ASIC of section 313 is one example of how the exercise of this power can contravene the principles of necessity and proportionality discussed above,” the telco wrote. “iiNet is also very concerned about the lack of appropriate due process, accountability and oversight. The scope of this law enforcement obligation is vague and uncertain and unfairly puts the onus on testing the validity of the request on the service provider. It is critical that any exercise of section 313 powers to block websites must be accompanied by sufficient information to confirm that it is appropriately authorised by a senior representative of the relevant agency.”
Alone amongst Australia’s major telcos, iiNet has a history of dissent against ongoing plans by the Federal Government (under both Labor and the Coalition) to increase electronic surveillance powers. In August 2013, for example, iiNet revealed it had not implemented the Federal Government’s limited mandatory ISP filtering scheme based on a list of offensive sites supplied by Interpol and had no immediate plans to do so, in a move which appeared to defy of the Australian Federal Police’s wishes.