Right. Time for a look at the final report of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) review of Australia’s mandatory data retention regime, which was tabled in Parliament yesterday. aph.gov.au/Parliamentary_…

This will be a slow thread...
Before I start, I should mention that there’s stories at ZDNet and iTnews...
zdnet.com/article/pjcis-…
itnews.com.au/news/pjcis-sla…

... and threads by @jpwarren and @mslods.



Justin is more cynical than Leanne, as you may know.
@jpwarren @MsLods I will skim those four things before continuing this thread. Stand by.
Right. Done. So some background. Current law required telcos to keep records for two years of, basically, which customers used which IP addresses at a particular time; the sender, recipient, time, and size of emails and messages; time and duration for phone calls...
Law enforcement and intelligence agencies can access that data on their own say-so without a warrant. It just has to be approved by any officers above a certain rank — and there’s thousands of them.
The one exception is if the person whose data is being requested is a journalist, in which case a Journalist Information Warrant is needed, from a judge or magistrate or AAT member and the like. This doesn’t work for two reasons.
1. Don’t bother getting a warrant for the journalist’s data. Get the data of all the people you think might have leaked to the journalist, and see if the journalist turns up in *their* data. Journalists had a last-minute sook and this half-arsed “protection” is what resulted.
2. Cops sometimes forget (or is it “forget”?) that they need a warrant in these cases. Oopsie. theguardian.com/australia-news…
So that out of the way, here are the terms of reference given to the PJCIS. aph.gov.au/Parliamentary_…

Ignore the 13 April deadline but, because they certainly did. Lots of parliamentary business was delayed by the COVID, so I guess that’s fair. Walk, chew gum, etc.
The PJCIS report is 189 pages, so this will be a skim of the recommendations first, and then I’ll see what else might be hidden away. Where is the report again? Here. aph.gov.au/Parliamentary_…
There are 22 recommendations. I’ll try to sum up each one in a single tweet, but this might prove to be a challenge.
1. Home Affairs should be given 18 months to “prepare national guidelines on the operation of the mandatory data retention scheme by enforcement agencies”, which means that currently there are no guidelines. So there still won’t be guidelines for another year and a half. No rush.
2. Clearly define “content or substance of a communication” as opposed to metadata. Acknowledge that metadata can reveal a lot of personal information. Good ideas.

Bonus link: David Speers’ award-winning interview with Bookshelves Brandis about envelopes.
3. In essence, if an enforcement agency inadvertently receives actual content from a telco then they must quarantine it, notify their oversight agency, and after consultation destroy the data. Good, because this has happened and the status and process was unclear.
See also: “Cops are getting full URLs under Australia’s data retention scheme” (7 Feb) zdnet.com/article/cops-a… There is content on the envelope.
4. “The Committee recommends that the data retention period be kept at two years.”
5. “Clarify that service providers are not required to store information generated by Internet of Things devices.” So a workaround: Sent your emails via your refrigerator.

See also: “Fridge sends spam emails as attack hits smart gadgets” (17 Jan 2014) bbc.com/news/technolog…
6. More detailed reporting of how many people made how many data requests and why.
7. Within 18 months, Home Affairs to develop guidelines and processes for much more detailed reporting which can be generated on request.

I like that ASIO would have to explain “the nature of the national security risk that led to the authorisation being given”.
8. The telcos should have to keep detailed records too. Seems fair.
9. Agencies should keep the data long enough for their oversight agencies to do their job (IGIS and Commonwealth Ombudsman) but then delete is as soon as it isn’t needed “(e.g. in the case of an enforcement agency, after an investigation has concluded)”.
10. “Authorised officers may only make verbal authorisations for the disclosure of telecommunications data in emergency situations,” plus some detail of how this has to be written down after the fact. This parallels similar emergency authorisations in other laws.
11. Significantly reduce the number of officers who can authorise getting the data.I know that PJCIS was quite concerned about this, as were basically everyone else except the agencies themselves.
We”re halfway through the recommendations. I see that some of you have comments and questions, but I’ll get to them after I’ve listed all 22 recommendations.
Yeah, these are only recommendations. The government has to be inclined to draft some amendments to the TIA Act, and inclined to progress them through Parliament in a timely manner. Ho ho ho! I am such the comedian.
12. “The Committee recommends that section 180 of the Telecommunications (Interception and Access) Act be amended to specify when a revocation of an authorisation takes effect.”

Another example of shoddy drafting that this wasn’t picked up in the first place.
13. Change things so “an authorised officer cannot make an authorisation for access to existing information or documents unless he or she is satisfied that the disclosure is reasonably necessary for [reasons].”

Which of course means that currently... yeah you fill in the gaps.
14. Increase the threshold for ASIO to access data so it’s consistent with other stuff, and require ASIO to “consider privacy before making an authorisation”.
15. “The Committee recommends that section 280(1)(b) of the Telecommunications Act 1997 be repealed. OK, this is is a big one, and it’ll need some explanation.
All this stuff until now has mostly been about the Telecommunications (Interception and Access Act) 1979, which is about what it says. austlii.edu.au/cgi-bin/viewdb… This data retention stuff is in Part 5-1A, from section 187A onwards.

But there are other ways to get hold of things...
They’re both in the Telecommunications Act 1997. austlii.edu.au/cgi-bin/viewdb… 1997 was a big year for this stuff because reasons.
My favourite is section 313, which basically requires telcos to do their best (not “reasonable efforts”) to stop their networks being used for crimes and stuff. austlii.edu.au/cgi-bin/viewdo…

The screenshot is just the top bit. It’s far more wide-ranging than the data retention stuff
My favourite section 313 story is when ASIC decided to block some IP addresses — and took 1,200 other sites offline. Hilarity ensued.

“Reckless Oz regulator runs roughshod over rights” (16 May 2013) zdnet.com/article/reckle…
Anyway, this is other one, section 280(1)(b). austlii.edu.au/cgi-bin/viewdo… I don’t fully understand it, but it looks like you can separately get a warrant or subpoena to get any document a telco might have.

@rycrozier is a fuller bottle here. Work back from itnews.com.au/news/pjcis-sla….
Anyway PJCIS wants that whole thing repealed. Sounds good to me. It’s as vague as all get up.
16. Faster reporting under the TIA Act. New limit proposed is “within 3 months after each 30 June” and then 15 parliament sitting days to be tabled.

Why it takes three months to copy and paste some tabulated data into a document is left as an exercise for the reader.
17. Cops should count as prescribed organisations under the Privacy Act 1988 re the Notifiable Data Breach regime, which means they have to report any data breaches involving telco data,. Not a bad idea.
18. Communicating this telco data (i.e. a cop or spook giving it to someone else) should bring on potential “disciplinary action and termination of employment”, same as applies to intercept data etc.
19. Something about oversight agencies being able to share data with other agencies if there’s a public interest in doing so. I don’t understand the subtleties of this so I’ll move on.
20. PJCIS want to be able to “commence a review of the mandatory data retention scheme by June 2025”. Seems fair. I’d go for 2023 but whatever.
21. Telcos must store all this metadata (remembering that is not the word used in the Act) on servers in Australia “unless specifically exempted”. In other words, it’s a requirement except when it isn’t.
22. And lucky last, agencies that get to use telco data should have to meet minimum security standards for holding is, with those rules to be developed by, um, ACMA.
So they‘re the PJCIS recommendations. That’s taken more than 90 minutes, so I’ll have a break and a coffee and then look at your questions and comments, and maybe poke at some of the other content of the report.
Normally I’d suggest you throw me a tip, but today you could throw me a pledge for “The 9pm End of Spring Series 2020” which ends at 9pm AEDT tonight. stilgherrian.com/endofspring2020 Back soon.
Right, back to this report of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) review of Australia’s mandatory data retention regime.

This thread started back at and I’m also unrolling it at threadreaderapp.com/thread/1321593….
Before I look at your comments, I’ll also point you to this on @MsLods’ recommendation: Yesterday’s speech by Labor’s Anthony Byrne MP, who’s been on PJCIS a lo0t and who knows the history of data retention. Worth a read. openaustralia.org.au/debate/?id=202…
This is a reference to the Journalist Information Warrant, and this is a hot button issue for me. In the TIA Act s180G it’s defined as “(i) a person who is working in a professional capacity as a journalist; or (ii) an employer of such a person”. austlii.edu.au/cgi-bin/viewdo…
In the Evidence Amendment (Journalists’ Privilege) Act 2011 it’s “a person who is engaged and active in the publication of news and who may be given information by an informant in the expectation that the information may be published in a news medium.” www8.austlii.edu.au/cgi-bin/viewdo…
I had a very small part in influencing the wording of the latter. I’d written a thing saying it should be about a class of people (employees of certain organisations or members of a club) but whether the person was “committing acts of journalism”.
Here it is. “Senate to re-open Bloggers versus Journalists” (7 Nov 2010) stilgherrian.com/media/senate-t… I used to write quite long blog posts in those days.
Indeed, the idea that the so-called metadata itself is very revealing has been kicking around for ages. I mean, why else would the cops and spooks even want it? Also, Margaret Stone will be a hard act to follow as Inspector-General of Intelligence and Security (IGIS).
This is an important point. Oversight agencies are continually asking for enough money to do their jobs. They don’t get it. Indeed, they often get cuts. ANAO is a prime example.
Clarification on recommendation 15, thank you.
Interesting. Anyone making defamatory remarks to even one person has “published” those remarks (to a public of one) so why not have a parallel view of what counts as a public for journalism i.e. recounting or commenting on the news? This too is left as an exercise for the reader.
Yes, but the chances of this happening are rather slim. Much easier to rush through a bunch off ill-thought amendments, then drift languidly through a review process like a twig in a millpond. Or a dead trout.
It has been drawn to my attention that recommendation 20, a review to start by June 2025, does allow the PJCIS to start review well before that, like in 2023, should it so choose. It’s a deadline not a timetable.
So now some other bits and pieces from the body of the report, starting with things that weren’t recommended. For those of you following along at home, this starts on page 93.
Location data. Too useful to law enforcement to remove from the warrantless regime, apparently. This is despite noting earlier that SCOTUS has ruled that obtaining location data requires a warrant per the Fourth Amendment.
I’m skipping a lot of this section because it’s mostly the arguments in favour of each recommendation. Some of it is quite technical, in the legislative or governance sense. You can read it yourself if you want to go down the rabbit-hole.
This final paragraph is fun. Internationally data retention laws are “in a state of legal and technological flux” so AU should do its own thing. Yes. Because other nations are demanding warrants or making the whole thing illegal. Lol.
“Additional Comment by Labor Members” (pages 165–166) which I’ll just screenshot in full. It’s mainly about access without a warrant may be used to the telco data of individuals who are not themselves suspected of any wrongdoing. They propose some process around that.
To wrap up this for now, I will draw your attention to one whole chapter, “International comparisons” (pages 81–91) which might be worth reading at some point. However I have some other things to do today so I’ll leave it there.
As I mentioned before, if you found this useful then maybe throw a few dollars my way, ’cos at this stage this was all just a backgrounder for me. No story has been commissioned. Please consider.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Stilgherrian

Stilgherrian Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @stilgherrian

Dec 10, 2022
Sun plan: 1032 train to Sydney; quick errands; 1300 lunch and drinks with a co-conspirator; further drinks with an evil gang; Weekly Wrap, somehow; collapse somewhere in Sydney. This will be an interesting day.
Mobile.
Read 4 tweets
Dec 9, 2022
“Write a military intelligence field report on the readiness of the Proud Boys in Cincinnati.” Image
“Write a military intelligence field report on the readiness of 1960s Mickey Mouse Club members in Cincinnati.” ImageImage
“Write a military intelligence field report on the readiness of futuristic sparkle unicorn furries in Cincinnati.”

At least this one is reassuring. ImageImage
Read 5 tweets
Nov 16, 2022
What @NewtonMark writes represents the views of a significant number of mathematically literate people watched the pandemic political and media response with a rational, critical eye. The personality cult that has built up around Normal Swan is an embarrassment. 1/
@NewtonMark The ABC’s response will be the same as it’s always been with flagship presenters. The criticisms just come from a minority of trolls, look at all the lovely emails we get, look at the audience figures, we all love Dr Norman — no lèse-majesté against the stars! 2/
@NewtonMark Of course there’s an anti-personality cult too. I’ve seen plenty of people for whom shouting about Norman Swan and others has become a hobby. That’s a whole separate thing. But making Normal Swan the ABC’s Face of the Pandemic may not have been the best... 3/
Read 10 tweets
Nov 15, 2022
Hey Kids, I’ve just remembered it’s an Essential polling Tuesday, so let’s see what’s in the data. essentialreport.com.au/reports/15-nov…

As usual the polling was done Wed–Sun and the margin of error on top-line figures is around ±3 percentage points. Here we go...
Approval of Anthony Albanese. He’d be happy with this.
The question I think it pretty stupid: Direction of Australia. Here’s the trend. Click through if you want the breakdowns. I don’t give a toss.
Read 13 tweets
Nov 15, 2022
I just woke up from a nap and I'm shaking because I crashed straight back into reality out of a dream where I was in an editorial meeting at The New York Times where we were workshopping the names of bad gay porn stars.
As I woke up we were trying to name this starfish bottom ex-twink from New Hampshire who was so white because the fluorescers from his laundry detergent had leached into his skin and he glowed faintly in the dark like those little plastic stars you stick on bedroom ceilings.
Except his teeth, which glowed brighter.
Read 4 tweets
Nov 14, 2022
It’s worth reading the whole thread, but this is the nub of it. Big systems like Twitter are incredibly complicated and some much knowledge is in the heads of the people who maintain them.

Imagine “You need to wiggle the key to the left a bit to get it to start” times a billion.
Around 25 years ago an unlabelled PC sat on a shelf in the Paddington (Sydney) Telstra exchange, an old i386 running some random Linux. Nobody knew what it did. So they turned it off — and the entire eastern suburbs cable network went down. So they turned it back on.
In every network there’s some random configuration setting or ugly workaround that was put in as a temporary fix during some drama and has sat there ever since. Only one person knows it’s there, and you just sacked them.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(