Intelligence agency ASIO is using the Snowden leaks to bolster its case for laws forcing Australian telecommunications companies to store certain types of customers’ internet and telephone data for a period of what some law enforcement agencies would like to be two years.
The federal spying agency is supported by the Northern Territory Police, Victoria Police, Australian Federal Police, Australian Crime Commission and Australian Commission for Law Enforcement Integrity, who all say they are in support of a data-retention regime.
What type of data should be stored by internet and phone providers is another question. Although storing “content” data has been ruled out under a retention scheme, at least two agencies – the Northern Territory Police and Victoria Police – want web-browsing histories stored.
In its submission to a parliamentary inquiry into potential changes to telecommunications laws, ASIO argues that more people are encrypting their web communications after revelations made by US intelligence contractor Edward Snowden about widespread data collection programs by governments.
This has hastened the need for changes that would force providers to keep all customers’ “metadata” for a prescribed period, it says.
Metadata stored about a phone call could include the parties to the call, location, duration and time of the call, but not what was said. Metadata stored about an internet activity could include your assigned IP address and the IP addresses of web servers you visit, or uniform resource locators (URLs) you visit and the time at which they were visited, while email metadata might include addresses, times, and the subject.
Agencies accessed metadata 330,640 times during criminal and financial investigations in 2012-13. Access to such data, if it is currently stored by a provider, is able to be retrieved by many state and federal agencies, and a small number of local councils, as well as the RSPCA, Australia Post and the Tax Office, without a warrant.
Privacy advocates are wary of changes to the Telecommunications (Interception and Access) Act, but intelligence and law enforcement agencies say they are vital to keep the law up to date with modern technology now that so much communication is done online.
“These changes are becoming far more significant in the security environment following the leaks of former NSA contractor Edward Snowden,” ASIO states in its submission to the Senate Committee on Legal and Constitutional Affairs.
Mr Snowden, a former contractor for the US National Security Agency, has thrown the intelligence world into turmoil in the past year by revealing sweeping data-gathering programs by the NSA.
“Since the Snowden leaks, public reporting suggests the level of encryption on the internet has increased substantially,” ASIO said.
“In direct response to these leaks, the technology industry is driving the development of new internet standards with the goal of having all web activity encrypted, which will make the challenges of traditional telecommunications interception for necessary national security purposes far more complex.”
The Northern Territory Police said in its submission it wanted telcos to store not only basic metadata but browsing histories for two years.
The policing agency went on to say that a shift away from traditional telephony services to Facebook, Twitter, Google Plus and others meant that data may be included in browser histories and was “as important to capture as telephone records”.
Victoria Police said it “strongly” supported the implementation of a data retention regime, and recommended among other things that URLs be stored “to the extent that they do not identify the content of a communication”.
Storing URLs is the same as storing a customer’s web-browsing history.
The Australian Crime Commission said the loss of data due to the absence of a mandatory data retention scheme has had a “detrimental impact” on its investigations, in terms of availability of data and certainty as to the period it will be retained.
The Australian Federal Police said it wanted to see a data retention regime in place “to ensure a national and systematic approach is taken to safeguarding the ongoing availability of telecommunications data for legitimate, investigative purposes”. It did, however, acknowledge that further work needed to be undertaken to examine the appropriate types of data stored and timeframes for retention.
The Australian Commission for Law Enforcement Integrity said requiring telcos to retain data was needed to police the police.
Digital rights group Electronic Frontiers Australia lobbied against the changes, saying retention was “an ineffective method to curb terrorism”.
“The ease with which data retention regimes can be evaded is grossly disproportionate to the cost and security concerns of the data retention regime,” it said.
Other inquiry submissions against the proposed changes came from Australian Privacy Foundation, Pirate Party Australia, Johann Trevaskis, Media, Entertainment and Arts Alliance, and ThoughtWorks, among others.
Another lengthy submission against the changes comes from an unnamed source and is a must read, covering everything from Australia’s history of spying, its relationship with NSA and Five Eyes, and recent Snowden revelations.
The Attorney-General’s Department said further exploration of options was “necessary” and that detailed consultation needed to occur with key stakeholders before providing detailed advice to government to support any decision.
George Brandis, who was shadow Attorney-General at the time, said in July, 2012, that he would “examine the issues carefully”.
Now the Coalition government’s Attorney-General, Mr Brandis said on Monday that the government was “not currently considering any proposal relating to data retention” despite the push from law enforcement agencies and the fact it hasn’t yet responded to an inquiry that examined data retention.
Australia’s Attorney-General’s department wants new laws to force users and providers of encrypted internet communications services to decode any data intercepted by authorities.
The proposal is buried in a submission by the department to a Senate inquiry on revision of the Telecommunications Interception Act.
The Attorney General’s submission makes it clear that its proposal is a “preliminary view” that may not align with that of the broader Australian Government, which it says has made “no decision” on any TIA-related revision.
The department argues the rise of over-the-top communications (OTT) makes it more difficult to guarantee that intercepted communications will be in an “intelligible” format. The rising adoption of encryption to thwart mass surveillance attempts is irking authorities.
“Sophisticated criminals and terrorists are exploiting encryption and related counter-interception techniques to frustrate law enforcement and security investigations, either by taking advantage of default-encrypted communications services or by adopting advanced encryption solutions,” the submission noted.
Though it does not name its key targets, Yahoo!, Google and Microsoft already enable encryption by default for their respective web-based email services. BlackBerry’s messaging encryption has also previously been raised as a law enforcement issue.
Under the department’s plan, “law enforcement, anti-corruption and national security agencies … [would be able] to apply to an independent issuing authority for a warrant authorising the agency to issue ‘intelligibility assistance notices’ to service providers and other persons”.
The department argues the obligation on service providers would merely “formalise” existing arrangements. However, forcing individual suspects to unlock encrypted messages would be a new power for authorities.
The department sees the scheme acting in a similar way to section 3LA of the Crimes Act, under which authorities can get a warrant that compels an individual to turn over passwords to seized hard drives.
Under 3LA, the individual is compelled to “‘provide any information or assistance that is reasonable and necessary’ to allow information held on the device to be converted into an intelligible form”, the department said.
The department isn’t specific about what it believes individual users could provide authorities that would aid in making sense of encrypted data from internet communication services.
It appeared to acknowledge that it could not “compel a person to do something which they are not reasonably capable of doing”. Users would also not simply be told to turn over unencrypted content to authorities.
However, the department wants failure to comply with a notice to “constitute a criminal offence, consistent with the Crimes Act.” It does not suggest what types of penalties it would seek if users did not help unlock their encrypted communications.
Encryption has been high on the agenda since revelations that the US National Security Agency (NSA) and its British counterparts were surreptitiously targeting encrypted communications on the internet.
Even before those revelations, agencies were known to be hitting up providers of web services to obtain master encryption keys in order to aid interception.