Data Retention

By Helen Kwon and Josephine Bird. This article was produced in collaboration with Prof Nicolas Suzor at QUT, Digital Rights Watch, and Fitzroy Legal Service.

Data retention laws were introduced in March 2015 to enforceTo make people obey (a law, the terms of an agreement, etc). Also: enforceability. More Australian telecommunication and Internet Service Providers (ISP) companies to legally collect and store metadata for at least two years.  Metadata is data about data. It includes information about phone calls, text messages, emails, and your location information when your mobile phone connects to a cell tower. It also includes IP addresses of your devices, which allows law enforcement agencies to connect you with posts and communications you make online. It does not include the actual content of any communications such as your browsing history or the subject line of an email. However, some Internet Service Providers collect and store more information than they are required to under the scheme, which may also include information about your browsing history.

Metadata can say a lot about you. For example, if you called a medical centre to book an appointment with a general practitioner, your phone number and your doctor’s phone number will be collected. The specific details of your health information cannot be known because the actual contents of the phone call will not be recorded. But the phone number of the specialist doctor you are referred to and call a few days later can be used to figure out your health information. The collection of large volumes of metadata can put your privacy at risk. 

In this section:

• What is the law?
• Who can access this data?
• Why does it matter?
• What next?

What is the law?

Australian telecommunications and internet service provider (ISP) companies, big and small, are subject to the data retention requirements. You may be familiar with companies such as Telstra, Optus, iiNet, and TPG. They are legally required to store your metadata for at least two years.

The legislation requires the following metadata to be stored.

• Profile of the telecommunications service account holder – name, address and contact details, including phone number and email address, billing and payment information, and IP address associated with internet service.
• Source and destination of communications – the phone numbers from people you have called or called you, username or email of the account, and port number of the devices involved.
• Date, time and duration of communications.
• Type of communications – voice call, voice message, email or SMS. 
• Location of connection/communication – location throughout the line of communication, such as the address of the connected cell tower or wi-fi source. This informational allows law enforcement agencies to trace which cell towers and wi-fi hotspots you connect to, allowing them to track your location almost everywhere you go.

Who can access this data?

The data retention laws require telecommunications and service providers to store large troves of information in case some of it will be potentially useful in law enforcement investigations. Law enforcement and security agencies can request access to stored metadata to facilitate criminal and national security investigations without warrants. The Government justified the decision to allow warrantless access to metadata on the basis of concerns from law enforcement agencies about the burden of seeking warrants through normal court processes. 

The legislation limits data access to the following government agencies:

• Australian Federal Police
• State Police Forces
• Australian Commission for Law Enforcement Integrity
• Australian Crime Commission
• Australian Customs and Border Protection Service
• Australian Securities and Investments Commission
• Australian Competition and Consumer Commission
• Crime Commission
• Independent Commission Against Corruption
• Police Integrity Commission
• Independent Broad-Based Anti-Corruption Commission
• Crime and Corruption Commission of Queensland
• Corruption and Crime Commission
• Independent Commissioner Against Corruption 

Experts have criticised the broad scope of the law – in particular, who can access data and why they can access data. Other government agencies can also get access to your metadata, apart from those listed above. The Home Affairs Minister can declare any authority or body to be eligible for access. In 2016, 60 agencies applied for warrantless access to metadata. These included a wide variety of institutions that clearly fall outside the scope of serious crime or national security. For example, local councils have used mobile phone data to track and fine illegal dumping and police agencies have accessed metadata to monitor cadets’ personal relationships and activities outside work hours. Even agencies that are not explicitly authorised by the legislation can use other laws to get access to your metadata — the Department of Home Affairs has admitted that dozens of federal, state and territory government agencies that are not explicitly authorised have been regularly accessing metadata held by telecommunications providers. 

Why does it matter? 

The data retention laws impact our rights to privacy because it requires the collection of metadata and authorises warrantless access. This is a matter of significant importance due to our increasing dependence on digital technology and connectivity. For example, we often cannot leave our homes without our mobile phones and we use them to make calls, send emails and more. This contributes to the pool of data that will be available for access by government and law enforcement agencies.

Australia’s data retention laws also pose a potential security threat. Telecommunication and Internet Service Provider companies have warned that the large stores of data in their systems can attract the unwanted attention of malicious actors. 

Australia’s data retention regime is complex and ambiguous, which increases the risk of misuse. Although information is hard to come by, it is already clear that the regime has been used in unexpected and unlawful ways. Reports have revealed that the Western Australian police force’s misunderstanding of the law led to invalid warrants targeting journalists. The ACT police force also accessed data without proper authorisation 116 times due to an administrative error. Given the highly sensitive nature of this data, it is clear that not enough care has been taken to ensure its security. 

What next?

Data retention laws are controversial because they interfere with the human right to privacy. It is important to remain informed with  political changes to understand the extent of our online freedoms. In April 2014, the European Court of Justice struck down a similar data retention scheme. Earlier this year in Australia, Digital Rights Watch, Access Now and the Human Rights Law Centre presented a joint submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) review of the data retention scheme. The following recommendations were advised: 

• limiting the access to metadata to the investigations of people involved in serious crimes only, such as murder, child abuse and terrorism;
• requiring a warrantA document issued by a court directing/ allowing an officer to do something.
  For example: a warrant of apprehension (directing that a person be arrested and brought before a court); a warrant of commitment (directing that a person be arrested and imprisoned); a warrant of distress (directing that a person's goods be seized to satisfy a debt); or a search warrant (directing or allowing a person's house or workplace to be searched). More for access to metadata in all cases; 
• excluding journalists, whistleblowers and human rights defenders from investigation to protect public interest; and 
• reducing the duration of storing data retention. 

In the meantime, take care with your online activities. You should be aware that your location can be continuously tracked through your mobile phone, and make a decision about whether to turn it off when you need to. You might also want to use a trustworthy VPN that is beyond the reach of Australian authorities (and other Five Eyes countries, who share communications information between themselves) to ensure the details of your online communications are not recorded. 

Further resources to help improve your digital security:

• The EFF maintains a Surveillance Self Defence website with tips on how to protect yourself. Note that this is not specific to Australia, but you may find the tips helpful.
• AccessNow maintains a Digital Security Hotline that offers real-time, direct technical assistance and advice to civil society groups & activists, media organizations, journalists & bloggers, and human rights defenders. Access Now can help you improve your digital security practices to keep out of harm’s way, and they provide rapid-response emergency assistance if you are already under attack.
• Digital Rights Watch maintains a database of helpful tools and resources to protect yourself online.