18 October 2012

Data Retention Questions

In discussing the development of the new Australian data retention regime I have recently noted the claim by the Australian Federal Police that people can and should trust that organisation.

That claim is somewhat at odds with testimony to the Senate Legal & Constitutional Affairs Legislation Committee at the 16 October Estimates hearing (video here).

One example is the exchange between Senator Ludlam, AFP Commissioner Negus and AFP Assistant Commissioner (and cybercrime czar) Gaughan.
Senator Ludlam: Are you aware Telstra were recently logging all 3G users' web access over their mobile network and were sending the information to an overseas server for the development of some kind of new filtering product? There have been suggestions that this behaviour by Telstra was in breach of the TIA act and warranted investigation by the federal police. Can you fill us in: firstly, are you aware of the breach I am referring to? 
Mr Negus: I will get the head of our high tech crime unit to come to the table and perhaps give us some more details. 
Mr Gaughan: Senator, this is the first I have heard of that, and I am in regular contact with Telstra. 
Senator Ludlam: True? Okay. Is it the first you have heard that the AFP's intervention was called for, or the first you have heard of that data breach? 
Mr Gaughan: It is the first I have heard of the data breach. 
Senator Ludlam: That is interesting. It might help if I table some material so that you know what I am referring to. I am aware that a number of people did make complaints. It was effectively transferring traffic on Telstra's network to a cloud-hosting provider in the United States, which then potentially exposed Australian data to the Patriot Act, which obviously has very different ideas around privacy protection than we do here. A number of constituents that I am aware of did receive traffic back from the AFP saying, 'We have to prioritise. Our case load is very heavy; we will not be investigating this one.' But, if you are not aware of that, I might come back to that later and give you some material to work with. To whoever wants to take these questions: I am just referring to the national security inquiry that is underway at the moment and is before the joint committee.
It is disturbing, to say the least, that the AFP officer who is assuring us that the organisation is trustworthy and that the proposed legislation is benign seems to have no knowledge of practice that received major coverage in the mass media, in the specialist media and in examination by the Privacy Commissioner.

The testimony continued with Senator Ludlam stating
I am aware you gave evidence on 26 September with a number of other commissioners from around the country …  Can you tell us about the AFP's role in the lead-up to the announcement of this committee? Did you play some part in forming the terms of reference or provide material for the discussion paper that came with the committee?" ... 
Mr Negus: Yes, we certainly could have a look now and get back to you very shortly about that. It was a few days before my appearance. 
Senator Ludlam: All right. Great. Obviously I have got quite a keen interest in this one. You are giving evidence to the joint committee now, which is good. 
Mr Gaughan: We have been involved from the outset in relation to this particular issue, working with the Attorney-General's Department and other Commonwealth agencies, in relation to preparing the discussion paper that was put forward before the committee. Obviously, as a user of the telecommunications interception act, we have a strong interest in where this goes. There has been a number of different meanings convened over the period of time before this paper went forward. There is working group level, where the people are talking about exactly the content of a proposed bill, and there are also more senior discussions in relation to some of the strategic issues that are currently before that committee. 
Senator Ludlam: All right, thank you. Now I am aware that this, at least from the Attorney General's Department's point of view, goes back a number of years: four meetings that they had convened with telecommunications providers. Were the Federal Police involved in those meetings? 
Mr Gaughan: I have certainly been involved in some of those meetings. That has been with some of the larger telcos, particularly Optus, Telstra, Vodafone and Hutchison in South Australia. Some of those meetings I have been involved in and others I have not. That question is probably best answered by the department. 
Senator Ludlam: No, as for the Federal Police's involvement, they would refer me back to you. Are those meetings ongoing, or have they lapsed while the joint committee does its work? 
Mr Gaughan: I have not been involved in a meeting of that nature for at least six months. 
Senator Ludlam: Okay. Does that mean they are not occurring or your involvement has ceased? 
Mr Gaughan: My involvement is not occurring. Whether they are still happening would be a matter for the department. 
Senator Ludlam: You recently sent Deputy Commissioner Phelan around the country. I am just going to cite briefly from the evidence that you gave a week or so ago. You sent the Deputy Commissioner: ... around the country and he spoke to every jurisdiction about the issues we saw as being important for Australian law enforcement. Why have you done that? Why has the Deputy Commissioner been tasked to do that? 
Mr Negus: Because it was a federal committee, we basically saw that someone needed to take a bit of a leadership role from the law enforcement perspective. It is one of the reasons I asked my fellow commissioners to appear together, so that we could have a bit of a united front, if you like, and put forward those issues from the law enforcement perspective. So, because, as I said, many of the states and territories do use interception and are involved in this process but do not really have a voice, other than providing a submission to the committee, we sent Deputy Commissioner Phelan around to talk to them about issues that we thought were important, seek them and encourage them to actually put a submission into the committee, which most of them did, and answer any questions they may have about how this process is undertaken at a federal level. 
Senator Ludlam: And that evidence, or some of it at least, is now on the public record. 
Mr Negus: I have to say, too, that we put a public submission to the committee—and, again, that is available on the website—and our position is very clear with regard to what we are trying to do here. The information that was provided in camera by Deputy Commissioner Phelan and Assistant Commissioner Gaughan was very much about the operational examples of these issues around methodology. So there was nothing untoward in that regard; it was more things that we would not put on the public record because of our operational capability. 
Senator Ludlam: Yes, I understand that. So that material is also beyond the reach of this committee while we are in public session. I am just interested in the idea that you would send a deputy commissioner around the country to get everybody onto the same page before you gave evidence. 
Mr Negus: I see this as one of the most important strategic issues for law enforcement in the next decade. If we do not get this right, balancing the privacy obligations and the privacy principles that underpin the TI Act 1979, then from a law enforcement perspective, the Australian public are going to have an outcome which is going to be suboptimal. Organised crime, terrorists and other things will get an advantage that I do not think had been anticipated in this regard. We are not seeking additional powers; all we want to do is modernise the TI Act to the context of what is really the communications and telecommunications industry of today. In 1979 when this act was launched, I do not think anyone could have foreseen what this would become in the way that people would communicate in 2012 and beyond. We want something that is technology neutral. We want to protect people's rights and liberties. We do not want additional powers. We still want to make sure that people are obliged to go and seek a warrant from a judicial officer to get content data. But the non-content data—and they are the things that we have been talking about here around the fact that a telephone conversation took place, where it took place and what the numbers were—are the sorts of things that we see as really important to get some consistency across telecommunications carriers and other areas through the use of quite legitimate law enforcement.
Given the vagueness of proposals, noted in this blog and in articles in Privacy Law Bulletin, there is substantive concern regarding the meaning of that non-content data (aka telecommunications traffic data).
Senator Ludlam: Could you provide us with your working definition, written or otherwise, of non-content data? 
Mr Negus: Absolutely. In fact, I have one written down. We could actually tender one. The department has one here which we have worked on. 
Senator Ludlam: I would appreciate that. 
Mr Wilkins: We have a definition here that is probably useful. Particularly if you are going to talk us and some of the other agencies about the same topic, it is actually important that we make that available to you. 
Senator Ludlam: I would greatly appreciate that, with the consent of the chair. 
Mr Wilkins: It is a folio, really. 
Mr Negus: I agree that it would be useful to table this, because there has been a lot of confusion in the media reporting about what is content and non-content data. I think it has unfortunately alarmed many people that some things would be looked at by law enforcement when in fact that is not exactly the case.
That "confusion" extends to the legal community and is not wholly an attribute of media reporting
Senator Ludlam: It certainly alarmed me and I will go into a bit of detail as to why. Chair, are you happy for that material to be tabled and circulated? 
CHAIR: Yes, that is fine. 
Senator Ludlam: Great. Can I just summarise a sketch without having seen the document that you are about to circulate? Is it the case that the definition of non-content data is basically anything except the content of the communication itself, or is a bit more technical than that? 
Mr Negus: Have a look at the definition first, Senator. 
Senator Ludlam: All right. We come back to that in a moment then. Do you think it is appropriate, Commissioner, that that material is at the moment being applied for a bit under two dozen agencies—as the TI(A) Act annual report describes, without any warrants at all? You actually provided us with the paperwork that the AFP is obliged to go through to obtain those. Do you acknowledge that no warrants are required? 
Mr Negus: That is right. As I think I have said to you before, I think the AFP applied for 23,000 of these last year. So if you were wanting to grind the AFP to a halt, then you should implement a warrant scheme to actually do non-content data application—because 23,000 of these would require 23,000 judges to consider affidavits for those to be prepared and for those to be granted. It is an unrealistic expectation. I think there are certainly significant safeguards in place and I am confident that internally within the Australian Federal Police we actually provide a level of scrutiny and accountability to that that we treat very seriously. 
Senator Ludlam: Can you tell me why you think it is appropriate that suspects need to be named and targeted and serious crimes need to be under investigation and warrants need to be applied for for a direct intercept of a phone call but detailed locational data, moment by moment, of exactly where I am at every given moment of every day, should not have any warrant or any of those preconditions applied? Why is one worthy of such protection and the other one is not? 
Mr Negus: One is a far greater intrusion into an individual's personal discussions than the other— 
Senator Ludlam: Commissioner, I strongly disagree. 
Mr Negus: Senator, that is a matter for you, and that is what the committee is actually considering. What I was going to say at the very beginning of this is that this whole information is being considered by another committee, which we have appeared before. We have put a public submission in and we have had a number of our officers appear before that committee. There has been a range of different views expressed, and really it is a matter for that committee to consider all of those and make recommendations accordingly. We are but one player in this process. 
Senator Ludlam: Yes. 
Mr Negus: We have tried to play a coordinating role to look to have the best possible information available for the committee so that they can make an important decision. But, as I said at the beginning—and I do not resolve from it—perhaps one of the most important things that law enforcement will face in the next decade is to get this right in balancing the privacy issues with the availability of data and information to law enforcement to protect the community. 
Senator Ludlam: I recognise that and I understand that. It is also a legitimate role of this committee to put precisely the questions that I am, while you are flying people around the country trying to get everybody on the same page. 
Mr Negus: I reject that, Senator. This is not about getting people on the same page; this is about coordinating a response. We did not tell people what to say in their submissions; we just encouraged them to be part of the debate, and answered any of their questions about what would be the federal process and how this would unfold. So I reject your assertion that we sent someone around in an untoward way to get people onto the same page, because that is not what was actually undertaken.  
Senator Ludlam: I have now got the definition that we are working to, and I appreciate that. It is not just the Federal Police applying for these; it is the tax office, at least one local government authority that I am aware of, welfare agencies, anticorruption agencies and all sorts of folk. Do you concede that you are now able to create very, very detailed real time maps of an individual's social networks, their movements and their transactions— effectively everything about their lives apart from the content of the communications? 
Ludlam has identified a key issue, one that is recognised in much of legal literature. Traffic data allows robust inferences about private lives and about the content of the communications.
Mr Gaughan: Senator, that document that you have in front of you does not talk about web browsing. We are not seeing web browsing as part of that. 
Senator Ludlam: It relates to communications for internet. 
Mr Wilkins: It does not include web browsing. 
Senator Ludlam: It says internet. 
Mr Wilkins: It does not include web browsing. 
Mr Gaughan: Mr Wilkins makes a very good point. Talking about getting into the details of what someone is looking at is arguably content. We are not after content. Clearly what is defined in that is metadata. It is important for us to have that information for us to undertake basic investigations. All of the sworn members in this room have been in the police force for in excess of 25 years, and I cannot recall any investigation that I have been involved in as a constable or the investigations that I have oversighted as an assistant commissioner or the ones that my telecommunications interception arm is involved in that do not use metadata. It is the primary function of law enforcement. The fact that the authorisations as recorded in the annual report have been consistent over the last three to four years in my view shows that the use of metadata is efficient and effective in bringing people to justice. We pay for this information. It is was not effective, we would not be using it; we would be doing something else. 
Senator Ludlam: I am not arguing about its effectiveness. I will read from the sheet that you have just tabled. Part I says 'relates to communications for item 2, internet,' and then it says, 'Information that allows a communication to occur,' and the first dot point there says, 'the internet identifier'. I presume you mean an IP address there. 
Mr Gaughan: Correct. 
Senator Ludlam: It says 'The internet identifier assigned to the user by the provider,' but you are telling us that that would not allow you to identify web traffic. 
Mr Negus: That is right. 
Mr Gaughan: What it does, Senator, is it allows us to identify who has used a particular IP address when they have undertaken a certain activity - for example, downloading child abuse material. 
Senator Ludlam: From the web. 
Mr Gaughan: From the web. If we do not have that IP address we cannot start the investigation. 
Senator Ludlam: I am with you, but I am also profoundly confused. You have just explained that this is not about identifying web traffic. That is now how I read this piece of paper. 
Mr Wilkins: You would need to get a warrant to get that information, Senator. 
Senator Ludlam: You would need to get a warrant to find out, for example, a specific URL that someone had visited - not a copy of the page but the URL? That is not my understanding of how the system works at the moment. 
Mr Gaughan: For instance, how it works in child protection investigations is a very good example. We receive from our international law information agencies what has been accessed - that is, child abuse material - and an IP address. That is all we get. We do not get any other information. We then ask the telcos to identify who has accessed that IP address to enable us to commence the investigation. 
Senator Ludlam: So who held the IP address for a period of time in which content was accessed? 
Mr Gaughan: Correct, but it is in undertaking our specific investigation. We do not go on fishing expeditions. We do not obtain IP addresses and then go seek the internet of what they have looked at. That is web browsing. 
Senator Ludlam: But there would be nothing preventing you. You guys are busy and presumably you do not have time for fishing expeditions. 
Mr Gaughan: Correct. 
Senator Ludlam: But there would be nothing preventing you from doing exactly that. 
Mr Gaughan: As Mr Wilkins said, we would need a warrant. 
Mr Wilkins: The law prevents them, Senator. 
Senator Ludlam: I am not sure that it does. 
Mr Wilkins: It does. 
Senator Ludlam: If you can provide us with exactly how that is the case, that would be appreciated. I am sorry, but that directly contradicts— 
Mr Wilkins: I guess we will just have to spell it out in words of one syllable for you, but it does. 
Senator Ludlam: That is a profoundly unhelpful response to the question. If you want to do that, you would be very welcome. I would like to see you try. 
Mr Wilkins: We are trying to be helpful, Senator. We have just explained to you how this is meant to operate. 
Senator Ludlam: This will be a bit out of the AFP's hands, so I can put this to the department a bit later if you like, but of the just under a quarter of a million metadata or communications data requests that were reported in the last annual report, none of that relates to web traffic. If that were the case you would need warrants. 
Ms Smith [Attorney-General's]: The majority of those requests are in relation to subscriber requests—names and addresses and things like that. The internet aspect of that will be in relation to IP addresses. For example, through an intercept they have found out that there are various people accessing it and they will have a number of random IP addresses. They will go to the provider and say, 'Who belongs to these IP addresses?' under a data authorisation. But they have no authority, and the law does not allow them to access the contents of the communication outside a warrant. The TIA act is very clear in its definition of what is a communication, and includes issues like web browsing and anything that goes to the substance of a communication. 
Senator Ludlam: Yes, but I can give you a URL of a web page without disclosing what is on that page. What I am trying to identify now, in words of one syllable, is whether a URL is communications data/metadata or whether it is content. 
Ms Smith: The department has always taken a very conservative approach in relation to URLs to ensure that there is no unintended access to content of communications under data authorisations. 
Senator Ludlam: Are you able to point me to the part of the Act that says it is or is not a URL? 
Ms Smith: There is no definition under the current legislation and, as has already been noted, this is a matter for the PJCIS as far as modernising the legislation— 
Senator Ludlam: It is a matter for this committee as well. 
Mr Wilkins: What we are saying is that is our interpretation of the current legislation, and it would be made very clear in new legislation that that is the case.
There has been no indication of that so far.
Senator Ludlam: That a URL, for the purposes of the way you are currently interpreting these requests, is content and not communications data? 
Ms Smith: Correct. 
Mr Wilkins: That is right.
Discussion then moved to the working group on the data retention proposals. That group may or may not have featured much involvement or consultation with the Privacy Commissioner. We might reasonably expect the Commissioner to have close involvement in the development of proposals that have major privacy implications and that, on the basis of committee hearings over the past three years, are highly controversial
Senator Ludlam: Can we go to the working group you mentioned earlier, Mr Negus. Could you spell out what its task is at this stage? 
Mr Negus: I think Assistant Commissioner Gaughan mentioned the working group; I will pass it back to him. 
Mr Gaughan: Initially it was to discuss some of the things that Mrs Smith has alluded to - the fact that there is no definition of a lot of the issues that are currently open for discussion and debate - and to try to come up with some terms and some words that everyone agreed to. We obviously still have some work to do with that, and the committee has come back to us a number of times in relation to some of those particular issues. The working group was also responsible for assisting and putting together the discussion paper that forms the basis of the PJCIS discussions at the moment. 
Senator Ludlam: Are you able to provide for us the membership of the working group and what its standing is? Is it informal or does it have some standing? 
Mr Gaughan: That is probably best answered by the department. Certainly, the AFP has a member in their group, but it is probably a question for Mrs Smith. 
Mr Wilkins: Do you want us to answer questions on this? We might as well. There is no working group at the moment. It is basically in abeyance. We are basically waiting to see what comes out of the committee, and then we may reconstitute a working group. 
Senator Ludlam: So there was a working group that was stood up to help produce that discussion paper and the terms of reference, and then it was stood down for the time being? 
Ms Smith: No. What the working group did was look at the need to reform the legislation, as Mr Gaughan has said. It was about coming up with some of the challenges that the current legislation faced. The work on the terms of reference et cetera was done by a different group of people. 
Senator Ludlam: Can you provide for us an idea of the working group when it was active; the membership and the duration that it worked for? 
Ms Smith: It was essentially the Attorney-General's Department, the AFP, the Department of Broadband, Communications and the Digital Economy— 
Senator Ludlam: You can put this in writing if you would prefer. 
Ms Smith: Would you prefer us to take it on notice? 
Mr Wilkins: We will take it on notice and make sure we get the names right. 
Senator Ludlam: Particularly on the DBCDE about what officer they were represented by or at what level they were represented. What about the Privacy Commissioner? 
Mrs Smith: We have certainly consulted the Privacy Commissioner on aspects. 
Senator Ludlam: Were they on the working group? Mrs Smith: I am not sure. We will take that matter on notice. 
Senator Ludlam: You cannot recall if they were involved? 
Mrs Smith: It was some time ago because we have moved into the PJCIS phase now. I will have to take that on notice.
Memories are short in A-G's, apparently.

Malcolm Turnbull, the Law Institute of Victoria, senior barristers and bodies such as the Victorian Privacy Commission ("the introduction of intrusive powers suggested in the Discussion Paper fails to achieve those tests of legitimacy, necessity, proportionality and effectiveness") have all expressed strong concern regarding the proposed legislation. The lack of detail, factual inaccuracies and inconsistencies in claims do not induce trust. The arrogance of the head of the Attorney-General's Department is disappointing. Uncertainty about whether there has been meaningful consultation with the Privacy Commissioner suggests that the Government's claims regarding its respect for privacy are hollow. If the Government doesn't think that the Privacy Commissioner is important, why should we?