[MM_Access_Decision access=’false’]news As many as 45 separate departments and agencies around Australia have petitioned the Attorney-General’s Department to gain unwarranted access to Australians’ metadata under the Government’s Data Retention scheme, Delimiter can reveal.
The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 passed the Federal Parliament in March this year. For the first time, it forces Australian telcos and Internet service providers to retain comprehensive records on their customers’ Internet and telephone habits for a period of two years.
Even for major telcos such as Telstra, which were already retaining large amounts of data about their customers, the scheme significantly expands the amount and type of data which will be held compared to the telcos’ previous records.
However, the bill also limits the types of government departments and agencies which are able to access metadata under the scheme. A number of agencies less concerned with serious crime are now no longer to access telecommunications data without warrants, unless the Attorney-General of the day approves their application.
Several weeks ago, Delimiter filed a Freedom of Information request with the Attorney-General’s Department regarding data retention. It requests that the Department release any letter to the Department or the Attorney-General in which an organisation requests that it be added to the list of authorised agencies able to access retained metadata under the Data Retention legislation.
Late last week Daniel Abraham, the Acting Assistant Secretary of the Attorney-General’s Department, wrote back denying the request.
To get access to the rest of this article, you’ll need to become a member of Delimiter. Click here for more info and to sign up!
[/MM_Access_Decision]
[MM_Access_Decision access=’true’]news As many as 45 separate departments and agencies around Australia have petitioned the Attorney-General’s Department to gain unwarranted access to Australians’ metadata under the Government’s Data Retention scheme, Delimiter can reveal.
The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 passed the Federal Parliament in March this year. For the first time, it forces Australian telcos and Internet service providers to retain comprehensive records on their customers’ Internet and telephone habits for a period of two years.
Even for major telcos such as Telstra, which were already retaining large amounts of data about their customers, the scheme significantly expands the amount and type of data which will be held compared to the telcos’ previous records.
However, the bill also limits the types of government departments and agencies which are able to access metadata under the scheme. A number of agencies less concerned with serious crime are now no longer to access telecommunications data without warrants, unless the Attorney-General of the day approves their application.
Several weeks ago, Delimiter filed a Freedom of Information request with the Attorney-General’s Department regarding data retention. It requests that the Department release any letter to the Department or the Attorney-General in which an organisation requests that it be added to the list of authorised agencies able to access retained metadata under the Data Retention legislation.
Late last week Daniel Abraham, the Acting Assistant Secretary of the Attorney-General’s Department, wrote back denying the request.
In his letter, Abraham wrote that he had searched the department’s internal document management system and had found approximately 60 documents which were likely to meet the terms of the request.
Abraham wrote that there were about 863 pages contained in the 60 documents, based on an average document size of 14.39 pages in each of 23 documents which the bureaucrat had sampled.
Abraham further noted that based on his initial examination, all 23 documents he had sampled (out of the 60 total) were likely to be subject to exemptions to the Freedom of Information legislation in some part, based on the fact that the material would constitute deliberative material being considered by the department, or that it would relate to the operations of the agencies concerned.
“Based on the sample, I estimate that a minimum of 518 of the 863 estimated total pages would require consideration of application of exemptions and editing to redact exempt materials,” wrote Abraham.
Because of the time involved in carrying out this task — and the need to consult a total of 45 third parties (departments and agencies) who had filed the 60 documents with the Attorney-General’s Department seeking access — Abraham noted that it was his belief that it would take 208 hours in total effort to consider the fitness of the documents for release to the public.
On this basis, the bureaucrat wrote, he had decided to decline Delimiter’s FOI request, on the basis that it would “substantially and unreasonably divert the department’s resources from its operations”.
Delimiter has determined that it will ask the Attorney-General’s Department to initially release only a small sample of the documents, in order that this move would not unreasonably divert the department’s resources in meeting the demands of the FOI Act.
The identities of the approximately 45 agencies who have applied for data retention access have not been revealed. However, some are already publicly known.
For example, last week Australia’s state racing ministers reportedly agreed to form a unified front to demand that Attorney-General George Brandis give state racing regulatory agencies access to metadata under Australia’s new data retention laws, following existing demands from the agency oversee the Melbourne Cup in Victoria.
In addition, in August the Parliament’s Joint Committee on Law Enforcement recommended the Australian Taxation Office be added to the list of agencies able to access data retention under Australia’s new data retention legislation, as part of a report that also recommended other technological measures to curb financial crime.
opinion/analysis
What we’re seeing here is precisely what we expected to see from the Data Retention legislation after it passed Federal Parliament: Scope creep.
The fact that the Attorney-General’s Department is currently evaluating applications from up to 45 separate departments and agencies to access metadata under the new laws is not surprising. In fact, I would say that many onlookers would be surprised that the number is so small. There are doubtless hundreds more departments and agencies around Australia that previously had access to metadata without warrants, and want that access back.
I believe the Attorney-General, George Brandis, faces a very difficult situation here.
It will be almost impossible for most of these requests to be agreed to — many of them will run directly counter to the Government’s rhetoric when it passed the Data Retention legislation that the bill was about addressing serious crime and issues of national security.
I severely doubt that Prime Minister Malcolm Turnbull — formerly an opponent of Data Retention, although he introduced the most recent legislation in the House of Representatives — will allow a situation where Brandis will allow dozens of new agencies to access the data. In addition, it’s also important to consider that such a move will need to ultimately come with supporting legislation.
Even Labor — which has supported the Data Retention policy all the way — may baulk if the scheme was significantly expanded in the way that the up to 45 applicants are currently seeking.
Yet I also believe there is no doubt that we’ll see some expansion of the scheme. Agencies such as the ATO are big enough and tough enough to get what they want fro Australia’s lawmakers. And we’ve already seen the Australian Border Force, for example, added to the metadata scheme after the mega-agency was created earlier this year.
It will also be fascinating to see how this situation develops as this Freedom of Information request progresses. At a certain point, some documents will have to be released, and we’ll definitely see a list of departments and agencies who have applied at some point. It will be interesting to see just how much the Attorney-General lets out of the veil of silence, and when.
Image credit: Parliamentary Broadcasting[/MM_Access_Decision]
So even though no ISP is recording and storing said metadata, all of these agencies want access to it already. Get a warrant!
“So even though no ISP is recording and storing said metadata, all of these agencies want access to it already.”
Preparing for a rainy day …
Isn’t it funny just how many people want to open Pandora’s Box. Scope Creep is alive and well.
Access is wanted because “we think you are a bad person” is considered sufficient cause; they need the data to try and prove enough to make actual legal proceedings stick. If you haven’t done anything wrong, there’s nothing to be afraid of. Right?
I would very much like to see “get a warrant” as the AGs’ de-facto response. It should be; IANAL but virtually all of these requests likely exist because a judge would otherwise have laughed at an equivalent warrant request missing any probable cause, evidence or some other legal reason to permit it.
Good news for vpn providers.
only if those VPN providers are hosted/owned in Australia.
Take for example the US based ones they only protect US citizens privacy any foreign customer will typically have their details handed straight over. Mileage probably varies depending where else the VPN is based.
Stick with any first world VPN provider outside the Five Eyes of UK, US, Canada, Australia and New Zealand (yes, it’s a term) and privacy focused laws and use that as your VPN exit point as a starting point.
Do NOT use a VPN provider hosted within Australia.
VPN Providers are not subject to data retention laws, irrespective of where their servers are located.
I use two providers, with servers located around the globe. It makes no difference if I connect to their US or Hong Kong based servers or their Australian ones, they have no legislative requirement to keep my metadata, nor do they.
The government cannot ‘force’ them to keep logs or data under this legislation for their servers located within Australia.
That’s correct about the data retention laws, but there is precedent for providers (not just VPN) operating within those countries to be legally coerced into giving up the keys to their encryption, therefore opening their clientele to interception (see the Lavabit case for an example of this).
That’s why you seek exit points in countries where it is difficult even for the government of that country to obtain this.
Also keep in mind that the Five Eyes share information, therefore, for example, the NSA is prohibited from spying on US citizens, that doesn’t stop GCHQ (UK) from doing it, and sharing that information with the NSA. Likewise with Australian Intelligence organisations as well.
That’s the scary part about this, the metadata retention only enhances that apparatus where governments can sidestep the laws of their own country by getting other friendly countries to do it for them.
What are the rules the AGD is using to evaluate these requests? What is their likelihood of success? What do/would they need to do to in order to be successful, and is the AGD providing such feedback, or are rejections simply a canned statement? What kind of processing cost is involved for each application and what is the overall cost to the public for all of this?
Hi I’m from the corner shop deli and I want your meta data…
*approved*
Well that was easy.
It’s funny that in defending the policy, the Liberals and Labor assured their constituents that data retention would actually formalise the process, giving it even more oversight. It would also limit the accessibility of metadata to law enforcement only.
It is quite clear it was all lip service. Anyone who had access under the old system will get access again, they just need apply. It wouldn’t surprise me if all local, state and federal government departments / agencies simply get it by default after a while.
Where do you live?
On second thoughts I don’t need to ask you…
I wonder if journalists would also be able to get access to it? Some interesting connections might come out of it.
Individuals can get hold of their own metadata. It was part of the legislation that it would be treated as personal information therefore for a fee someone can request their own. From there you could pass it on to a journalist.
I have absolutely no doubt that when people start requesting metadata, what they get is a LOT more than the legislated data set. It is simply easier for an ISP to collect MORE rather than strip out unnecessary revealing info which requires manual remediation and it’s very expensive to do. Minimal to no funding support by gov = cutting corners.
You can be assured the agencies requesting the data are going to get a lot more than the minimum required to keep :)
VPN isn’t a get out of jail free card. The assumption that someone else’s network that doesn’t terminate in AU is inherently more secure because no data retention is a very flawed one.
It’s useful to sidestep retention here, but that doesn’t preclude access details and activity being entirely untraced or untraceable. It doesn’t work that way. I am quite sure most operators intend for the service to provide some degree of secured service and partial anonymity; but it’s still effectively someone else’s network your data is being carried over.
People tend to do dumb things when there is perceived safety (as apposed to actual). ;)
Again, it is beholden on the AGDs’ department to stick to the policy terms and virtually all of these requests should be met with the department equivalent of “get a warrant”. It’s not upholding the concepts of law if it doesn’t. It would be entirely against the purpose of the entity.
I agree that it isn’t a get out of jail free card however the assumption there is that it’s being used for nefarious purposes in the first place. I value my families’ right to privacy therefore all our devices operate via a VPN. I simply disagree with the government that my personal information should be available to them on demand without without any judicial oversight. I’m also uncomfortable with said personal information over 2 years being made available to incompetent public servants and I would imagine, passed on to overseas Five Eyes partners under standard information sharing arrangements.
As soon as the data is passed on by the ISP there is absolutely no oversight on it’s destruction. Duplication, misplacement, incorrect usage. All of these things will happen and without any recourse or oversight. There will certainly be no avenue of complaint for a end user who may / may not even be aware their data has been accessed.
VPN isn’t perfect but I would much prefer the information my ISP has on me be thousands of timestamped connections to my VPN’s IP address rather than what it could be without it. I shiver at what the potential content collected could be without any VPN at all. Most ISP’s are going to do this on the cheap, cut corners with absolutely no consideration to customer privacy at all, because there is nothing legislated in forcing them to.
Can you imagine the meggaterrafloppabytes of woeful crap that they will collect. I wonder if a storage provider put them up to this?
Comments are closed.