Internet data retention is back in the headlines in Australia.
The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 was tabled by the Minister for Communications, The Hon. Malcolm Turnbull MP, in the Australian Parliament on 30 October 2014. Release of the Bill led to same day media reports that kids accessing pirated movies would be exposed and could be prosecuted by copyright owners that mine this new rich vein of evidentiary material. Later in the day, we read reports that internet users’ private details would be exposed to bad actors that had ‘one stop shopping’ incentives to hack into ‘this new honey pot’. The Shadow Attorney-General, The Hon Mark Dreyfuss MP, responded in more moderate terms: “This legislation is complex and contentious. It is broader than National Security. It has privacy implications and could also potentially increase the cost of internet bills. It therefore needs to be subject to robust scrutiny over months not weeks.” The Opposition got its wish: the Bill will now be reviewed by a Parliamentary Committee before retiring to the House.
As reactions to the Bill indicate, data retention debate in Australia will continue to be vociferous and polarising. But at last we have a concrete and public proposal with which to engage. The privacy implications are potentially very significant. This is particularly so because the Bill does little to limit the current broad powers enjoyed by law enforcement agencies to access information about communications. The Bill does propose to limit access to a smaller category of such agencies, being ‘criminal law enforcement agencies’, and to create some new, after-the-event transparency and accountability measures. But the broad powers of access remain largely unchanged. Those access powers are also frequently mis-described.
This brief review attempts to explain the Bill in the context of those access powers.
Proposed data retention scheme
Presently, there is no specific obligation for Australian communications carriers and carriage service providers to retain either the content of communications, or information about communications, for any particular period. The effect of the Bill (if enacted) would be to create a new obligation to capture and retain for a period of (generally) two years certain categories of information about communications. This information about communications has come (colloquially and misleadingly) to be referred to as ‘metadata’. The retention obligation would be imposed upon most providers of communications carriage services provided to the public between points within Australia or points within Australia and points outside Australia (viz. international services touching Australia).
We now need to delve into some of the obscurities of telecommunications law to explain why I said ‘most providers of communications carriage services’. I’ll try to make that explanation as brief and pain-free as is possible.
Communications carriage services are services for the carriage of voice, audio, visual, audio-visual and any other form of data between places. Provision of such carriage services within Australia using certain types of communications capacity leads to the owner of that capacity being required to be licensed as an Australian telecommunications carrier. Use of capacity within Australia, or to and from Australia, to provide such carriage services leads to the provider of such carriage services being required to comply with requirements in the Telecommunications Act 1997 and the Telecommunications (Interception and Access) Act 1979 – I’ll call the second Act the TIA Act to save space – that are applicable to ‘carriage service providers’. So an internet access provider will usually be a carriage service provider (another telco acronym: a ‘CSP’) because the provider provides to its subscribers carriage of traffic over the internet (as well as internet connectivity). An internet service
provider (‘ISP’) – not itself a term of art and covering many different types of service providers - may be required to be a carrier, a CSP, or neither. It will be required to be licensed as a carrier if that ISP owns capacity used for this purpose: iiNet is a carrier, as well as an ISP and CSP. A VoIP provider such as Skype carries voice traffic over the internet and out to non-Skype numbers and so clearly is a CSP. But a provider of cloud services on a ‘come-to-me’ basis – Dropbox, Amazon Web Services, etc. – is not a CSP, unless the provider branches out to deliver communications traffic to the public. Many providers provide internet carriage services to and from Australia and to the Australia public ‘over the top’ (OTT) of other internet carriage services. This means that some OTT service providers are regulated (because of the carriage component of their service) as CSPs, regardless of whether they own or operate telecommunications network infrastructure in Australia. This frequently leads to knotty legal questions as to whether a service is a regulated carriage service. Even more confusingly, a very important regulatory distinction under the Telecommunications Act as between carriers and CSPs is glossed over in some parts of that Act and the TIA that deem carriage service providers to be carriers for the purpose of application of those Parts.
As a result of these confusions and the distortions through layering of many amending Acts, telecommunications has become an arcane byway of Australian regulation, a black art understood by few and feared by many.
If you’re still with me and you’ve memorised those handy shorthand acronyms, you’re now ready for a quick dive into the Bill.
The data retention scheme proposed in the Bill would apply to Australian telecommunications carriers and also to ISPs, including ISPs that are CSPs, but only if they own or operate in Australia infrastructure that enables the provision of any of the provider’s relevant services.
This retention obligation would apply to specified information relating to any communication carried by means of the service. The Bill prescribes categories of information that may be required to be retained, but then allows for regulations to be made to specify particular information within these categories that must be retained. So the Bill would provide the Minister with broad scope, through promulgation of regulations, to prescribe particular information that must be retained. The categories are sufficiently broad to allow prescription of much information about communications generated not only in the course of provision of a CSP’s carriage service, but also information about use of by a third party OTT application and that are carried by means of a service provider’s service, subject to an exception discussed below. For example, the categories include:
- the characteristics of a subscriber to a relevant service (e.g. internet access service) using an OTT service (e.g. name or other identifier, address, billing and payment information);
- information about the source and/or destination of a communication. This category of information may include identifiers used in relation to a VoIP or email service, or any other identifier used to describe a particular OTT service from which a communication originates;
- information about the date, time and duration of a communication, or of its connection to a relevant service. This category may include information about the start and end time of a communication, the carriage of which is enabled by an OTT service provided by a third party;
- information about the type of a communication, such as VoIP, instant messaging or email provided by a third party OTT provider; and
- the location of equipment used in connection with a communication. The Bill expressly does not require a service provider to collect and retain:
- the contents or substance of a communication;
- information that states an address (e.g. IP address, port number or URL) to which a communication was sent on the internet from a telecommunication device using an internet access service provided by the service provider, and that was obtained by the service provider only as a result of providing the service. This exception is intended to exclude web browsing history from the retention scheme. However, if the service provider obtains a destination internet address identifier in the course of providing another service (e.g. an email service), the provider would be required to keep records of such identifiers; or
- information if it relates to communications carried by means of an OTT service operated by another service provider. This is a particularly difficult distinction to draw and will cause problems.
Draft regulations included for comment in the Explanatory Memorandum state ‘kinds of information’ within the categories that are proposed to be prescribed by regulation and therefore required to be captured and retained. Reliance upon regulation-making of itself raises concerns. The making of amendments to an Act of Parliament is generally an arduous and drawn-out process involving specialist Parliamentary Drafters and parliamentary scrutiny before passage. Although many Regulations are well crafted, there is often insufficient care or precision in drafting of Regulations in Australia, often insufficient prior consultation and notice, and generally poor accountability and transparency. Regulations may also be stated to come into immediate effect, albeit then being subject to a requirement for tabling in the next sitting of the Parliament and potential disallowance within a limited period by vote of either Horse. In the sea of legislative rule-making in Australia, parliamentary scrutiny of regulations is often cursory. As a matter of good legislative practice, key matters should be locked down by an Act of Parliament, not potentially subject to change by Ministerial decision and regulation. There is certain to be lively debate – as there should be – as to whether the categories of information are sufficiently described and circumscribed as to limit regulatory creep through regulations prescribing additional ‘kinds of information’ about communications that must be retained. Regulatory creep might have very substantial financial, as well as privacy, implications: one consequence of prescription of additional kinds of information is likely to be that significant reprogramming or other re-specification of data capture tools and databases will be required of the affected provider.
So the kinds of information (within defined categories) that might be required to be captured and kept is indeterminate, although the Government has given us their initial proposal (in the form of a draft Regulation). The providers that are required to capture and retain that information are more easily identifiable, although the scope of relevant ISP services is still quite hard to work out. It is not readily apparent how you determine whether a provider owns or operates in Australia ‘infrastructure that enables’ the provision of any of the provider’s relevant services. And it is particularly difficult to work out how far the proposed rules are intended to in relation to capture and retention by underlying CSPs of information about communications using OTT services delivered by other providers over the underlying internet carriage service.
So how extensive is the change to retention obligations? Well, huge. The Telecommunications (Interception and Access) Act 1979 (only from October 2012) dealt with preservation of certain stored communications (only) ‘stored’ on equipment operated by or in possession of an Australian carrier or CSP, pursuant to:
- a domestic preservation notice, issued by either a law enforcement agency (a broad range of State and federal agencies are listed in section 5 of the Act) or in the case of (live) interception, a more limited class of interception agencies; or
- a foreign preservation notice, issued by the Australia Federal Police following a Mutual Legal Assistance Treaty (MLAT) request made by a foreign law enforcement agency.
The subject matter of the preservation notice is ‘stored communications’, which has been interpreted to mean what is commonly referred to variously as call content, the content of communications or payload data, but not information about communications (i.e. service identifiers, device identifiers such as MSISDN, location related information, date, time duration etc.). A domestic preservation notice can only be issued for a 30 day period. It may then be replaced by a telecommunications service warrant - an interception warrant - or a stored communication warrant, issued in respect of a particular person and valid for preservation of communications content of specified types of communications made by that particular person within a specified period.
So the Bill is the first mechanism to enable preservation of information about communications, and does so on a generic service-wide basis, not case by case.
So let’s now assume that the Bill is passed and this relevant information about communications – note again, not the content of the communication - is being retained. Who can get to see it?
The Federal Privacy Act 1988 exempts certain disclosures in permitted general situations as described in section 16A of that Act, including that the disclosure “is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim”. Disclosure is also permitted where the disclosure “is required or authorised by or under Australian law or a court/tribunal order”: APP6.2(b). There are many such laws: a variety of Federal, State and Territory Acts empower particular agencies to compel disclosure. For example, the NSW Crime Commission: section 29 (Power to obtain documents and things) of the Crime Commission Act 2012 (NSW) provides that an executive officer with special legal qualifications may, by notice in writing served on a person require
the person to attend before the Commission at a particular time and place and produce to that officer a document or thing specified in the notice, being a document or thing that is relevant to an investigation. Subpoenas are frequently already issued by courts on third parties, including ISPs, to produce records.
Information about communications currently cannot be disclosed by carriers or CSPs because to do so would lead to criminal liability under (relevantly) section 276 of the Telecommunications Act 1997, possible contractual liability to the user and/or liability under privacy laws and associated telecommunications codes with privacy related provisions, such as the Communications Alliance Telecommunications Consumer Protections (TCP) Industry Code (C628:2012).
Exceptions to section 276 allowed carriers and carriage providers to elect to make voluntary disclosure if “the disclosure is reasonably necessary for the enforcement of the criminal law”, “a law imposing a pecuniary penalty or [a law] for the protection of the public revenue”. In practice most providers elected not to make voluntary disclosure of information about communications because of prospective liability that might flow from them making an inherently subjective determination as to what is, or is not, “reasonably necessary”, and the fact that voluntary disclosures generally are not excepted from privacy laws and associated telecommunications codes with privacy related provisions.
So providers currently usually require either:
- legal compulsion, such as a warrant or other Court order or a statutory notice to produce like a NSW Crime Commission notice, or
- the law enforcement agency to provide a written authorisation signed by an authorised officer, which (if facially valid) under various provisions exculpates the provider from liability under section 276 for provision of the relevant information about communications as specified in the warrant.
Any compulsion to comply with a facially valid authorisation does not flow from the exceptions to section 276 but rather from the vague and controversial section 313 of the Telecommunications Act. This provision requires carriers and CSPs to give Federal and State officers and authorities such help
as is reasonably necessary for enforcing the criminal law and laws imposing pecuniary penalties; assisting the enforcement of the criminal laws in force in a foreign country; protecting the public revenue or safeguarding national security. Section 313 then helpfully for providers has a general exculpation from all laws or liability in relation to the provision of such help. Some agencies, apparently creatively advised, interpret section 313 as, among other things, enabling them to require blocking of particular internet sites and requiring information about communications to be retained for whatever period they determined. Section 313 is not changed by this Bill and potentially could operate over the newly broadened categories of information to be captured and retained.
Currently any Federal, State or Territory authority or body that enforces a criminal law, a law imposing a pecuniary penalty or a law that protects the public revenue is an ‘enforcement agency’ under the TIA Act and can seek information about communications under the TIA Act. The Bill would require that bodies that are not a ‘criminal law enforcement agency’ for the purposes of the TIA Act must be declared by the Minister to be an ‘enforcement agency’ before they can authorise the disclosure of information about communications.
The Bill would also amend Chapter 3 of the TIA Act to limit the availability of stored communications warrants, authorising access to the content of communications, to ‘criminal law-enforcement agencies’. Currently, any authority or body that is an ‘enforcement agency’ can apply for a stored communications warrant.
The Bill would require all Commonwealth, State and Territory enforcement agencies to keep specified information and documents in order to demonstrate compliance with their statutory obligations under the proposed scheme. These new record-keeping obligations would expand upon those that currently exist in the TIA Act. The Bill would also give the Commonwealth Ombudsman broad-ranging powers to inspect the records of an enforcement agency so as to assess the extent of their compliance with their obligations relating to the issue of preservation notices and access to stored communications, and access to telecommunications data.
Clearly, the Bill is complex and its prospective operation is unlikely to be broadly understood. Many privacy advocates will remain concerned that data retention is mandated at all. Other critics will be concerned that the Bill creates a framework for rules that can be adjusted and expanded through Ministerial regulations. Carriers and CSPs will be concerned at the cost of capturing and retaining information and the likely costs of servicing an increasing number of requests for access from law enforcement agencies that can be expected to take advantage of this new evidentiary source. The data retention debate will not end with this Bill. Rather, the debate will enter a new phase, possibly just as vociferous and polarising as the debate before the Bill entered the Australian Parliament.