Make a submission
A Parliamentary Committee is currently reviewing Attorney-General George Brandis' data retention legislation and they're seeking submissions.
This is our chance to place public opposition to the legislation on the record. Will you take a few minutes to make a submission to the Committee?
If passed, the new scheme will require telecommunications companies and internet service providers (ISPs) to store information, or "metadata", about every Australian citizens' private phone calls and internet usage for at least two years. So far, 14 submissions have been made, most of which have come from law enforcement and intelligence agencies (which are, unsurprisingly, in favour of the legislation).
Make your submission today. We've included a helpful how-to guide and talking points for making your submission below. Your submission needn't be long and should only take a few minutes to write – but submissions must be made by 5pm (AEDT) next Monday 19 January.
Make your submission today. We've included a helpful how-to guide and talking points for making your submission below. Your submission needn't be long and should only take a few minutes to write – but submissions must be made by 5pm (AEDT) next Monday 19 January.
Key concerns about a mandatory data retention scheme
Communications surveillance may only be justified when it is prescribed by law, necessary to achieve a legitimate aim, and proportionate to the aim pursued.
So is the government's proposed data retention legislation necessary?
The government has not made a compelling case as to the necessity of a mandatory data retention scheme. The primary justification put forward for this legislation is that communications data is a critical element in law enforcement and intelligence investigations and that telcos and ISPs are retaining less communications data due to changing business models.
Nonetheless, this is not a sufficient justification for an indiscriminate, society-wide mandatory data retention scheme. Law enforcement and intelligence agencies already have broad surveillance powers, including a new power introduced in 2012 giving these agencies the ability to issue Data Preservation Notices that compel telcos and ISPs to retain all information about persons of interest (including the content of communications) for three months. Unlike what is being proposed here, these powers provide an appropriate, targeted mechanism for data to be retained but have to date been barely used.
Is the scheme proportionate?
An indiscriminate, society-wide mandatory data retention regime would represent a massive invasion of the privacy and security of all Australians. One of the reasons the European Union's Court of Justice (CJEU) gave for ruling an equivalent scheme invalid in April 2014 was its incompatibility with individual rights, in particular privacy and the protection of personal data, primarily due to its indiscriminate nature.
The mass, indiscriminate invasion of the privacy of all Australians and the subversion of the principle of the presumption of innocence that the government's proposal would represent is simply not proportionate to the alleged benefits that the scheme would bring, especially as there are already existing powers available that will achieve many of the same benefits. In the Efficacy section below we examine some of the claims about the effectiveness of mandatory data retention schemes.
So is the government's proposed data retention legislation necessary?
The government has not made a compelling case as to the necessity of a mandatory data retention scheme. The primary justification put forward for this legislation is that communications data is a critical element in law enforcement and intelligence investigations and that telcos and ISPs are retaining less communications data due to changing business models.
Nonetheless, this is not a sufficient justification for an indiscriminate, society-wide mandatory data retention scheme. Law enforcement and intelligence agencies already have broad surveillance powers, including a new power introduced in 2012 giving these agencies the ability to issue Data Preservation Notices that compel telcos and ISPs to retain all information about persons of interest (including the content of communications) for three months. Unlike what is being proposed here, these powers provide an appropriate, targeted mechanism for data to be retained but have to date been barely used.
Is the scheme proportionate?
An indiscriminate, society-wide mandatory data retention regime would represent a massive invasion of the privacy and security of all Australians. One of the reasons the European Union's Court of Justice (CJEU) gave for ruling an equivalent scheme invalid in April 2014 was its incompatibility with individual rights, in particular privacy and the protection of personal data, primarily due to its indiscriminate nature.
The mass, indiscriminate invasion of the privacy of all Australians and the subversion of the principle of the presumption of innocence that the government's proposal would represent is simply not proportionate to the alleged benefits that the scheme would bring, especially as there are already existing powers available that will achieve many of the same benefits. In the Efficacy section below we examine some of the claims about the effectiveness of mandatory data retention schemes.
Metadata is literally 'data about data', but is a confusing and largely unhelpful term. Even the Attorney-General finds it difficult to define. In this context, it's intended to refer to information about communications, rather than the content of the communications themselves. This is, however, in many cases an entirely false distinction, as demonstrated in this excellent article from iiNet's blog.
Even if you accept that there is a meaningful distinction between it and the content of communications, the collection of data about communications (metadata), especially in bulk, is arguably more invasive than the examination of the content of communications. As the former NSA Chief, Michael Hayden, infamously said "we kill people based on metadata". As the CJEU noted in its April 2014 ruling that the EU Data Retention scheme is invalid, metadata:
Even if you accept that there is a meaningful distinction between it and the content of communications, the collection of data about communications (metadata), especially in bulk, is arguably more invasive than the examination of the content of communications. As the former NSA Chief, Michael Hayden, infamously said "we kill people based on metadata". As the CJEU noted in its April 2014 ruling that the EU Data Retention scheme is invalid, metadata:
"…may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environment."
There are real questions about whether bulk collection and retention of communications data is particularly effective in preventing terrorism and criminal activity.
In the US, the Privacy and Civil Liberties Oversight Board studied the impact of the NSA's data retention activities and found that there "is little evidence that the metadata program has made the US safer".
Research from Germany has shown that a mandatory data retention regime increased crime clearance rates by only 0.006%, which is statistically insignificant.
At the recent public hearing conducted by PJCIS, neither the Attorney-General's Department nor the Australian Federal Police were able provide any statistics relating to the role of retained communications data in the interception of criminal activity or in any successful prosecutions.
In the US, the Privacy and Civil Liberties Oversight Board studied the impact of the NSA's data retention activities and found that there "is little evidence that the metadata program has made the US safer".
Research from Germany has shown that a mandatory data retention regime increased crime clearance rates by only 0.006%, which is statistically insignificant.
At the recent public hearing conducted by PJCIS, neither the Attorney-General's Department nor the Australian Federal Police were able provide any statistics relating to the role of retained communications data in the interception of criminal activity or in any successful prosecutions.
It has been estimated that a mandatory data retention regime would add at least $5 per month to every internet connection account, unless the government chooses to fund such a regime, which would cost many hundreds of millions of dollars to set up and to operate.
Given that different telcos and ISPs currently retain different types of data for differing lengths of time, as determined by their individual business models, the implementation costs of this scheme will vary significantly, and will impact smaller and leaner operators harder than the bigger operators. Telstra, for example, as well as having a much greater capacity to absorb these costs, also already collects and retains (it is understood) much of the data the government is seeking for significant periods of time. Other providers, such as iiNet, retain much less data and in many cases delete that data quite quickly as they have no business reason to store it. These providers will therefore be required to create and store data that they currently do not.
This scheme will therefore have significantly adverse effects on competition with the telco and ISP markets and may force some smaller operators out of business as well as creating new barriers to entry to the market. A joint submission by the Australian Mobile Telecommunications Association and Communications Alliance to the 2012 inquiry by the PJCIS estimated the cost of the scheme proposed by the then Government to be between $100 million for basic data capture and $500–700 million with IP addresses included. iiNet's upper estimate was $400 million.
The result, of course, will be higher prices for businesses and consumers.
Given that different telcos and ISPs currently retain different types of data for differing lengths of time, as determined by their individual business models, the implementation costs of this scheme will vary significantly, and will impact smaller and leaner operators harder than the bigger operators. Telstra, for example, as well as having a much greater capacity to absorb these costs, also already collects and retains (it is understood) much of the data the government is seeking for significant periods of time. Other providers, such as iiNet, retain much less data and in many cases delete that data quite quickly as they have no business reason to store it. These providers will therefore be required to create and store data that they currently do not.
This scheme will therefore have significantly adverse effects on competition with the telco and ISP markets and may force some smaller operators out of business as well as creating new barriers to entry to the market. A joint submission by the Australian Mobile Telecommunications Association and Communications Alliance to the 2012 inquiry by the PJCIS estimated the cost of the scheme proposed by the then Government to be between $100 million for basic data capture and $500–700 million with IP addresses included. iiNet's upper estimate was $400 million.
The result, of course, will be higher prices for businesses and consumers.
The creation of massive databases of highly personal information will act as "honeypots" which will be actively targeted by malicious individuals and organised crime syndicates. In addition, the risk of inadvertent data breaches is very real – the Federal Police and the Immigration Department have both had serious inadvertent data breaches recently – as is misuse of the data by disgruntled or compromised employees.
Companies forced to retain data will seek to use the cheapest data hosting available to minimise the cost of compliance. As Steve Dalby, Chief Regulatory Officer from iiNet said last year, the cheapest data hosting available at the moment is in China. This raises the additional threat of the data being compromised by the intelligence agencies of other countries.
The question is therefore not whether this information will be compromised, but rather when and how. Any such data leak could have serious implications for the affected individuals, particularly for vulnerable people such as victims of stalking and other forms of harassment, as well as for public officials such as judges and even politicians.
The government's proposals therefore represent a real threat to the privacy and security of all Australians.
Companies forced to retain data will seek to use the cheapest data hosting available to minimise the cost of compliance. As Steve Dalby, Chief Regulatory Officer from iiNet said last year, the cheapest data hosting available at the moment is in China. This raises the additional threat of the data being compromised by the intelligence agencies of other countries.
The question is therefore not whether this information will be compromised, but rather when and how. Any such data leak could have serious implications for the affected individuals, particularly for vulnerable people such as victims of stalking and other forms of harassment, as well as for public officials such as judges and even politicians.
The government's proposals therefore represent a real threat to the privacy and security of all Australians.
The data retained under this scheme will be available to be used in civil litigation by court-issued subpoena. This means it will be able to be used in copyright infringement cases, and particularly as the data is to be retained for such a long duration, will likely lead to a great deal more "speculative invoicing" (or "copyright trolling" – see the EFA's article about this issue here). It will also potentially be used in unfair dismissal cases and other civil cases wherever a litigant can convince a judge that the data may be relevant to the case.
The issue that the Attorney-General's Department is seeking to address is by its very nature a long-term one. There is simply no justification for it to be dealt with in the expedited manner that the government is using. Rather it should be subject to lengthy and considered scrutiny by the parliament. The tactic of using the largely confected idea of a 'terror emergency' to force this legislation through parliament quickly is deeply disingenuous.
This handy submission guide has been put together with our friends from Electronic Frontiers Australia (EFA), who GetUp have partnered with on this campaign.
Don't feel that you need to address all of the issues raised by this legislation. Focus on the parts you're most concerned about.
Use your own words. If you simply copy and paste your submission, Committees tend to treat multiple similar/identical submissions as effectively a single submission.
Be polite. Aggressive language will seriously undermine the credibility of your submission. It's good form to start by thanking the Committee for the opportunity to make a submission. Reference sources. If you're making a claim, find a reference that backs it up.
If your submission is more than a few pages, you should include a summary at the start.
Use your own words. If you simply copy and paste your submission, Committees tend to treat multiple similar/identical submissions as effectively a single submission.
Be polite. Aggressive language will seriously undermine the credibility of your submission. It's good form to start by thanking the Committee for the opportunity to make a submission. Reference sources. If you're making a claim, find a reference that backs it up.
If your submission is more than a few pages, you should include a summary at the start.
There are two ways to send your submission:
1. Via email: draft your own submission and email it to dataretention@aph.gov.au
2. Via Online Form: upload your submission using the online form on the APH website available here.
The preferred format is in Microsoft Word (.doc, .docx) format, but any format is acceptable.
Please note that it is normal practice for all submissions received to be published on the Committee's website. If you do not want your name to be included, you should make that very clear in your email and should also ensure that your actual submission document does not include your name and contact details.
See also Parliament's guide to preparing a submission to an inquiry here
1. Via email: draft your own submission and email it to dataretention@aph.gov.au
2. Via Online Form: upload your submission using the online form on the APH website available here.
The preferred format is in Microsoft Word (.doc, .docx) format, but any format is acceptable.
Please note that it is normal practice for all submissions received to be published on the Committee's website. If you do not want your name to be included, you should make that very clear in your email and should also ensure that your actual submission document does not include your name and contact details.
See also Parliament's guide to preparing a submission to an inquiry here