Extraordinary powers in crisis, or unacceptable infringement of civil liberties
Every now and then debate around privacy would poke its head out, ruffle some feathers, and die down as we move on to other more important stuff. If the month of April is a measure, this time it seems, it may stay on for a little longer.
A cast of characters and sets have already featured as the Parliamentary Joint Committee on Intelligence and Security (PJCIS) completed its mandatory data retention review, the High Court of Australia handed down a verdict in the News Corporation journalist Annika Smethurst case, and the Morrison Government’s COVID-19 tracking app tracking app has deployed among everyday citizens.
First off, on Wednesday 15th of April, PJCIS chair Andrew Hastie announced that the Committee had finished receiving evidence on the effectiveness of the mandatory data retention regime and is now working on its final report, expected to be tabled by the end of July.
In their evidence to the Committee, law enforcement bodies maintain that the Data Retention Act is vital to their work. The Victorian Independent Broad-based Anti-corruption Commission (IBAC) said that the data retention scheme remains an essential law enforcement tool, and that the current thresholds to obtain telecommunications data are appropriate. IBAC believes that the use of telecommunications data can make the use of more invasive investigative techniques such as physical surveillance and telecommunications interception unnecessary.
The Australian Federal Police (AFP) has recommended that no reduction be made in the current two year limit for data retention. It flagged however that complex and more serious investigations may necessitate retrieval of data even older than that, thanking telecommunications providers who store metadata for longer than the mandated minimum.
Meanwhile, the Commonwealth Ombudsman noted potential gaps, ambiguities or inconsistencies in the legislation, including:
- the lack of a framework for agencies to verbally issue authorisations for access to telecommunications data, despite agencies adopting this practice in urgent or out-of-hours circumstances
- the absence of any obligation on agencies to retain the telecommunications data they receive from a carrier under an authorisation or any obligations regarding the destruction of that data, and
- ambiguity regarding what constitutes ‘content’ and whether agencies should have access to this information when disclosed by a carrier under an authorisation.
On the other end of the spectrum, telecommunications companies have rapidly become allies with consumers and privacy advocates. In its submission, Telstra recognised that while access to telecommunications data is an important tool for law enforcement, there must be an appropriate balance with Australian consumers’ expectations of privacy and minimising the regulatory burden imposed on industry. Telstra called on the Government to:
- Limit the ability of non-law enforcement agencies to use s.280 of the Telecommunications Act 1997 to access telecommunications data without a warrant.
- Reduce complexity for telecommunications companies when assessing whether it is permissible to release certain categories of data.
- Consider whether there is a need for industry-wide exemptions for Internet of Things (IoT) devices.
Telstra has also addressed privacy advocates’ concern that access to data had progressively been granted to an ever-expanding list of government bodies, increasing the risk that this posed to public trust in the data retention regime. The telco has called for all organisations accessing telecommunications data (even if they are not an identified law enforcement agency) to be required to follow the process set out for enforcement agencies in Division 4 of Chapter 4 of the Telecommunications (Interception and Access) Act (TIA Act). While this approach would not limit the non-law enforcement agencies from accessing telecommunications data, it would have three benefits:
- It would mean carriers and carriage service providers would not bear the burden to check and verify the coercive powers of every State, Territory or Commonwealth agency/department requesting data.
- It would require the authorising officer to consider whether access to the data is justifiable and proportionate.
- It would provide clarity that all entities seeking telecommunications data are captured under the standard cost recovery system of the regime, which may also encourage them to carefully consider the amount and scope of data required.
Optus discussed the high volume of requests it receives for access to data at present, and the steps it has taken to improve efficiency of access, including establishing a dedicated, security cleared liaison team, as well as an automated response service to facilitate these requests. It noted the significant amount of time and resources it invests in this endeavour and highlighted it would not support any expansion of the scope of the data retention regime without appropriate capital contributions from Government to meet additional costs.
Critics of the regime, such as Electronic Frontiers Australia (EFA), a body representing internet users concerned with digital freedoms and rights, continue to strenuously recommend that the Data Retention Act be repealed altogether. EFA’s view has been that the Committee should not consider the Act in isolation, but rather in the context of several other national security Acts which “fundamentally shift Australia into a surveillance culture” and that the Government undertake an urgent review of the cumulative effect of national security legislation on Australians’ human rights.
In a combined submission, other organisations, such as the Human Rights Law Centre, Access Now and Digital Rights Watch noted the creeping scope of the data retention regime. In 2015, the scheme was expected to be used sparingly, for the investigation of serious crimes by a limited number of agencies. Since then, over 80 government agencies have requested metadata, including racing industry and taxi services regulators. The joint submission expressed concern about the ramifications for freedom of the press, noting that in just one year, the AFP had accessed the metadata of journalists more than 60 times. They cited the raid on the home of Daily Telegraph journalist Annika Smethurst as part of a worrying trend of police investigating and prosecuting whistleblowers who have disclosed government wrongdoing in the public interest.
Coincidentally, also on Wednesday 15th of April, the High Court handed down its verdict in Annika Smethurst’s case against the AFP (judgment summary). The court unanimously held that the warrant that AFP relied on for its search of Ms Smethurst’s home on 4 June 2019 was invalid and should be quashed. The court found the warrant invalid on two grounds. First, the warrant misstated the substance of s 79(3) of the Crimes Act, which relates to disclosures of prescribed information to unauthorised persons. Second, the warrant’s description was ambiguous, failing to state precisely the alleged offence to which it related. The court therefore held that the search of Ms Smethurst’s Canberra home and seizure of documents were unlawful.
The decision was not an unalloyed victory for Ms Smethurst, however, as majority declined to grant a requested injunction requiring that the AFP return or destroy any material copied from her mobile phone. This aspect of the court’s decision leaves Ms Smethurst without certainty that she will be free from prosecution. "In many ways, it's not a huge win, because they can still use that for an investigation, or even a potential prosecution," she said on ABC’s Insiders on Sunday 19th of April. "So, until both the AFP and effectively the Government, since they've said that [Attorney-General] Christian Porter would have to sign off, until we get an assurance that there won't be any charges relating to this case, it's status quo." The chilling effect of raiding and prosecuting journalists leaves the Australian media landscape under a dark cloud.
Most pressingly, privacy concerns are now escalating around the Government’s COVID-19 tracing application, designed to track close contacts of people who may be infected. Minister for Government Services, Stuart Robert who is responsible for the app, hopes to have more than 40 per cent of Australians install it on their smartphones. Mr Robert said that the app contains no geolocation, no surveillance and no tracking. Instead, it polls its counterparts in other phones on which it is installed via Bluetooth, and notes whether two phones have been within 1.5 metres for 15 minutes. This information is to be encrypted and stored securely on an individual’s mobile phone.
While all state and territory governments, as well as health bodies such as the Australian Medical Association, and the Australian Nursing and Midwifery Federation support the COVIDSafe app, some Coalition MPs have broken rank with their own to speak out against it. In an interview with Seven Network's breakfast program Sunrise, controversial Nationals’ MP Barnaby Joyce said that although the Government had promised that the app was for a limited purpose and would be secure, it would nevertheless provide an attractive data set for hackers. Mr Joyce has brought up the unfortunate incident of My Health Records, whereby the Government had made similar privacy promises. Member for Kennedy, Bob Katter, said he would refuse to install the “Orwellian” tracking app, and would rather be thrown in jail if it were to become compulsory. “Whatever argument you have for forsaking your freedoms, at the end of the day you will find it’s a poor trade off,” Mr Katter said.
Coalition-aligned free market think tank, the Institute of Public Affairs, has also condemned it as an unacceptable infringement of civil liberties. “Being tracked by the Government in order to be free is not acceptable. This is a heavy-handed attack on the liberties of all Australians,” said Director of Policy Gideon Rozner. “History tells us that governments that give themselves extraordinary powers in states of emergency tend not to relinquish them. It took less than three years for metadata laws passed in the name of counterterrorism, for example, to be invoked by local councils to police minor infringements like littering.”
As of Monday, 4th of May, more than 4 million Australians were counted as having downloaded the COVIDSafe app already, however information collected now is not being used yet, while the States and Territories establish the process and rules on privacy for it. COVIDSafe is expected to be in full operation by mid-May in line with expectations the Government will start easing restrictions after a National Cabinet meeting slated for Friday 8 May. Prime Minister Scott Morrison has used every opportunity to urge people to download it, saying it’s like putting on sunscreen when out in the sun, but it may prove a hard sell for a government with a poor track record on keeping privacy promises.
To access original media releases, text of submissions, and other content used as examples in this article login to Capital Monitor at: www.capitalmonitor.com.au