Right. Time for a look at the final report of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) review of Australia’s mandatory data retention regime, which was tabled in Parliament yesterday. aph.gov.au/Parliamentary_…
This will be a slow thread...
This will be a slow thread...
Before I start, I should mention that there’s stories at ZDNet and iTnews...
zdnet.com/article/pjcis-…
itnews.com.au/news/pjcis-sla…
... and threads by @jpwarren and @mslods.
Justin is more cynical than Leanne, as you may know.
zdnet.com/article/pjcis-…
itnews.com.au/news/pjcis-sla…
... and threads by @jpwarren and @mslods.
https://twitter.com/jpwarren/status/1321369346875158530
https://twitter.com/MsLods/status/1321356021810409472
Justin is more cynical than Leanne, as you may know.
Right. Done. So some background. Current law required telcos to keep records for two years of, basically, which customers used which IP addresses at a particular time; the sender, recipient, time, and size of emails and messages; time and duration for phone calls...
Law enforcement and intelligence agencies can access that data on their own say-so without a warrant. It just has to be approved by any officers above a certain rank — and there’s thousands of them.
The one exception is if the person whose data is being requested is a journalist, in which case a Journalist Information Warrant is needed, from a judge or magistrate or AAT member and the like. This doesn’t work for two reasons.
1. Don’t bother getting a warrant for the journalist’s data. Get the data of all the people you think might have leaked to the journalist, and see if the journalist turns up in *their* data. Journalists had a last-minute sook and this half-arsed “protection” is what resulted.
2. Cops sometimes forget (or is it “forget”?) that they need a warrant in these cases. Oopsie. theguardian.com/australia-news…
So that out of the way, here are the terms of reference given to the PJCIS. aph.gov.au/Parliamentary_…
Ignore the 13 April deadline but, because they certainly did. Lots of parliamentary business was delayed by the COVID, so I guess that’s fair. Walk, chew gum, etc.
Ignore the 13 April deadline but, because they certainly did. Lots of parliamentary business was delayed by the COVID, so I guess that’s fair. Walk, chew gum, etc.
The PJCIS report is 189 pages, so this will be a skim of the recommendations first, and then I’ll see what else might be hidden away. Where is the report again? Here. aph.gov.au/Parliamentary_…
There are 22 recommendations. I’ll try to sum up each one in a single tweet, but this might prove to be a challenge.
1. Home Affairs should be given 18 months to “prepare national guidelines on the operation of the mandatory data retention scheme by enforcement agencies”, which means that currently there are no guidelines. So there still won’t be guidelines for another year and a half. No rush.
2. Clearly define “content or substance of a communication” as opposed to metadata. Acknowledge that metadata can reveal a lot of personal information. Good ideas.
Bonus link: David Speers’ award-winning interview with Bookshelves Brandis about envelopes.
Bonus link: David Speers’ award-winning interview with Bookshelves Brandis about envelopes.
3. In essence, if an enforcement agency inadvertently receives actual content from a telco then they must quarantine it, notify their oversight agency, and after consultation destroy the data. Good, because this has happened and the status and process was unclear.
See also: “Cops are getting full URLs under Australia’s data retention scheme” (7 Feb) zdnet.com/article/cops-a… There is content on the envelope.
4. “The Committee recommends that the data retention period be kept at two years.”
5. “Clarify that service providers are not required to store information generated by Internet of Things devices.” So a workaround: Sent your emails via your refrigerator.
See also: “Fridge sends spam emails as attack hits smart gadgets” (17 Jan 2014) bbc.com/news/technolog…
See also: “Fridge sends spam emails as attack hits smart gadgets” (17 Jan 2014) bbc.com/news/technolog…
6. More detailed reporting of how many people made how many data requests and why.
7. Within 18 months, Home Affairs to develop guidelines and processes for much more detailed reporting which can be generated on request.
I like that ASIO would have to explain “the nature of the national security risk that led to the authorisation being given”.
I like that ASIO would have to explain “the nature of the national security risk that led to the authorisation being given”.
8. The telcos should have to keep detailed records too. Seems fair.
9. Agencies should keep the data long enough for their oversight agencies to do their job (IGIS and Commonwealth Ombudsman) but then delete is as soon as it isn’t needed “(e.g. in the case of an enforcement agency, after an investigation has concluded)”.
10. “Authorised officers may only make verbal authorisations for the disclosure of telecommunications data in emergency situations,” plus some detail of how this has to be written down after the fact. This parallels similar emergency authorisations in other laws.
11. Significantly reduce the number of officers who can authorise getting the data.I know that PJCIS was quite concerned about this, as were basically everyone else except the agencies themselves.
We”re halfway through the recommendations. I see that some of you have comments and questions, but I’ll get to them after I’ve listed all 22 recommendations.
Yeah, these are only recommendations. The government has to be inclined to draft some amendments to the TIA Act, and inclined to progress them through Parliament in a timely manner. Ho ho ho! I am such the comedian.
12. “The Committee recommends that section 180 of the Telecommunications (Interception and Access) Act be amended to specify when a revocation of an authorisation takes effect.”
Another example of shoddy drafting that this wasn’t picked up in the first place.
Another example of shoddy drafting that this wasn’t picked up in the first place.
13. Change things so “an authorised officer cannot make an authorisation for access to existing information or documents unless he or she is satisfied that the disclosure is reasonably necessary for [reasons].”
Which of course means that currently... yeah you fill in the gaps.
Which of course means that currently... yeah you fill in the gaps.
14. Increase the threshold for ASIO to access data so it’s consistent with other stuff, and require ASIO to “consider privacy before making an authorisation”.
15. “The Committee recommends that section 280(1)(b) of the Telecommunications Act 1997 be repealed. OK, this is is a big one, and it’ll need some explanation.
All this stuff until now has mostly been about the Telecommunications (Interception and Access Act) 1979, which is about what it says. austlii.edu.au/cgi-bin/viewdb… This data retention stuff is in Part 5-1A, from section 187A onwards.
But there are other ways to get hold of things...
But there are other ways to get hold of things...
They’re both in the Telecommunications Act 1997. austlii.edu.au/cgi-bin/viewdb… 1997 was a big year for this stuff because reasons.
My favourite is section 313, which basically requires telcos to do their best (not “reasonable efforts”) to stop their networks being used for crimes and stuff. austlii.edu.au/cgi-bin/viewdo…
The screenshot is just the top bit. It’s far more wide-ranging than the data retention stuff
The screenshot is just the top bit. It’s far more wide-ranging than the data retention stuff
My favourite section 313 story is when ASIC decided to block some IP addresses — and took 1,200 other sites offline. Hilarity ensued.
“Reckless Oz regulator runs roughshod over rights” (16 May 2013) zdnet.com/article/reckle…
“Reckless Oz regulator runs roughshod over rights” (16 May 2013) zdnet.com/article/reckle…
Anyway, this is other one, section 280(1)(b). austlii.edu.au/cgi-bin/viewdo… I don’t fully understand it, but it looks like you can separately get a warrant or subpoena to get any document a telco might have.
@rycrozier is a fuller bottle here. Work back from itnews.com.au/news/pjcis-sla….
@rycrozier is a fuller bottle here. Work back from itnews.com.au/news/pjcis-sla….
Anyway PJCIS wants that whole thing repealed. Sounds good to me. It’s as vague as all get up.
16. Faster reporting under the TIA Act. New limit proposed is “within 3 months after each 30 June” and then 15 parliament sitting days to be tabled.
Why it takes three months to copy and paste some tabulated data into a document is left as an exercise for the reader.
Why it takes three months to copy and paste some tabulated data into a document is left as an exercise for the reader.
17. Cops should count as prescribed organisations under the Privacy Act 1988 re the Notifiable Data Breach regime, which means they have to report any data breaches involving telco data,. Not a bad idea.
18. Communicating this telco data (i.e. a cop or spook giving it to someone else) should bring on potential “disciplinary action and termination of employment”, same as applies to intercept data etc.
19. Something about oversight agencies being able to share data with other agencies if there’s a public interest in doing so. I don’t understand the subtleties of this so I’ll move on.
20. PJCIS want to be able to “commence a review of the mandatory data retention scheme by June 2025”. Seems fair. I’d go for 2023 but whatever.
21. Telcos must store all this metadata (remembering that is not the word used in the Act) on servers in Australia “unless specifically exempted”. In other words, it’s a requirement except when it isn’t.
22. And lucky last, agencies that get to use telco data should have to meet minimum security standards for holding is, with those rules to be developed by, um, ACMA.
So they‘re the PJCIS recommendations. That’s taken more than 90 minutes, so I’ll have a break and a coffee and then look at your questions and comments, and maybe poke at some of the other content of the report.
Normally I’d suggest you throw me a tip, but today you could throw me a pledge for “The 9pm End of Spring Series 2020” which ends at 9pm AEDT tonight. stilgherrian.com/endofspring2020 Back soon.
https://twitter.com/stilgherrian/status/1321198219452268545
Right, back to this report of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) review of Australia’s mandatory data retention regime.
This thread started back at
This thread started back at
https://twitter.com/stilgherrian/status/1321593206060933121and I’m also unrolling it at threadreaderapp.com/thread/1321593….
Before I look at your comments, I’ll also point you to this on @MsLods’ recommendation: Yesterday’s speech by Labor’s Anthony Byrne MP, who’s been on PJCIS a lo0t and who knows the history of data retention. Worth a read. openaustralia.org.au/debate/?id=202…
This is a reference to the Journalist Information Warrant, and this is a hot button issue for me. In the TIA Act s180G it’s defined as “(i) a person who is working in a professional capacity as a journalist; or (ii) an employer of such a person”. austlii.edu.au/cgi-bin/viewdo…
https://twitter.com/joelmcourtney/status/1321605068639014912
In the Evidence Amendment (Journalists’ Privilege) Act 2011 it’s “a person who is engaged and active in the publication of news and who may be given information by an informant in the expectation that the information may be published in a news medium.” www8.austlii.edu.au/cgi-bin/viewdo…
I had a very small part in influencing the wording of the latter. I’d written a thing saying it should be about a class of people (employees of certain organisations or members of a club) but whether the person was “committing acts of journalism”.
Here it is. “Senate to re-open Bloggers versus Journalists” (7 Nov 2010) stilgherrian.com/media/senate-t… I used to write quite long blog posts in those days.
Indeed, the idea that the so-called metadata itself is very revealing has been kicking around for ages. I mean, why else would the cops and spooks even want it? Also, Margaret Stone will be a hard act to follow as Inspector-General of Intelligence and Security (IGIS).
https://twitter.com/NewtonMark/status/1321607221944332290
This is an important point. Oversight agencies are continually asking for enough money to do their jobs. They don’t get it. Indeed, they often get cuts. ANAO is a prime example.
https://twitter.com/AUSFestivus/status/1321618003910275072
Clarification on recommendation 15, thank you.
https://twitter.com/MsLods/status/1321630531155447808
Interesting. Anyone making defamatory remarks to even one person has “published” those remarks (to a public of one) so why not have a parallel view of what counts as a public for journalism i.e. recounting or commenting on the news? This too is left as an exercise for the reader.
https://twitter.com/jmfarrow/status/1321633004750430208
Yes, but the chances of this happening are rather slim. Much easier to rush through a bunch off ill-thought amendments, then drift languidly through a review process like a twig in a millpond. Or a dead trout.
https://twitter.com/MsLods/status/1321631156689776640
It has been drawn to my attention that recommendation 20, a review to start by June 2025, does allow the PJCIS to start review well before that, like in 2023, should it so choose. It’s a deadline not a timetable.
https://twitter.com/stilgherrian/status/1321616794595946498
So now some other bits and pieces from the body of the report, starting with things that weren’t recommended. For those of you following along at home, this starts on page 93.
Location data. Too useful to law enforcement to remove from the warrantless regime, apparently. This is despite noting earlier that SCOTUS has ruled that obtaining location data requires a warrant per the Fourth Amendment.
I’m skipping a lot of this section because it’s mostly the arguments in favour of each recommendation. Some of it is quite technical, in the legislative or governance sense. You can read it yourself if you want to go down the rabbit-hole.
This final paragraph is fun. Internationally data retention laws are “in a state of legal and technological flux” so AU should do its own thing. Yes. Because other nations are demanding warrants or making the whole thing illegal. Lol.
“Additional Comment by Labor Members” (pages 165–166) which I’ll just screenshot in full. It’s mainly about access without a warrant may be used to the telco data of individuals who are not themselves suspected of any wrongdoing. They propose some process around that.
To wrap up this for now, I will draw your attention to one whole chapter, “International comparisons” (pages 81–91) which might be worth reading at some point. However I have some other things to do today so I’ll leave it there.
As I mentioned before, if you found this useful then maybe throw a few dollars my way, ’cos at this stage this was all just a backgrounder for me. No story has been commissioned. Please consider.
https://twitter.com/stilgherrian/status/1321618444584808449
• • •
Missing some Tweet in this thread? You can try to
force a refresh
