Australian Mandatory Data Retention Abused Just Weeks After Rules Are Put In Place
from the because-that's-what-happens-with-data-retention dept
We've been talking about Australian politicians' odd obsession with passing ever more draconian data retention rules for years now. As you may recall, the politicians pushing for this appeared to have absolutely no clue what it actually entailed. Just a few months ago, we wrote about reports about how Australia's data retention laws had been abused to spy on journalists and their sources. While some parts of the law went into effect a year and a half ago, it appears some parts just went into effect a few weeks ago. These new rules require every ISP to retain metadata on all online communications for at least two years. And... it took just about two weeks before the Australian Federal Police (AFP) were forced to admit that it had used the info to spy on journalists (again). They insist this was a mistake, of course.
"Earlier this week, the AFP self-reported to the Commonwealth Ombudsman that we had breached the Telecommunications Interception Act. The breach ... related to an investigator who sought and was provided access to the call records of a journalist without the prior authority of a journalist information warrant," AFP Commissioner Andrew Colvin said on Friday afternoon.
"No investigational activity has occurred as a result of us being provided with that material. Put simply, this was human error. It should not have occurred, the AFP take this very seriously, and we take full responsibility for a breach in the Act. I also want to say there was no ill will, malice, or bad intent by the officers involved who breached the Act. Quite simply, it was a mistake that should not have happened."
Even if this truly was an accident, it highlights why mandatory data retention is so dangerous. That information will be accessed, and not always for good reasons. There's a reason why we don't allow law enforcement to search our stuff willy nilly without a warrant, and mandatory data retention completely flips this whole concept on its head for no good reason. Such information will almost always be abused -- and sometimes pretty damn quickly after it's available.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: australia, data retention, isps, journalists, privacy, surveillance
Reader Comments
The First Word
“Not rights and privileges. We accept that they have more protections than everyone else.
We accept that police have a few legal and physical protections that ordinary citizens do not. This is necessary to protect them from the criminals they are tasked to combat. Elected officials often get extra legal and physical protections too.
To prevent abuse and corruption there are checks and balances. We accept that journalists are one of the big ones.
We accept that journalists can keep their sources secret, because those sources are often whistleblowers telling of abuse and corruption. We accept that because journalists speak truth to power, they and their sources need protection from that power.
Yes, the age of blogs casual journalism has blurred the definition of journalist. But that's only made the need to protect journalists more important:
Consider the movie Spotlight, about the Boston Globe's investigation of systemic child sex abuse in the Boston area by numerous Roman Catholic priests. It's been said that if the story happened today, it wouldn't have been reported. The newspaper, with a much smaller subscription base and ability to absorb legal expenses, would have backed down in the face of Church opposition.
Subscribe: RSS
View by: Time | Thread
Link to ZDNet story is truncated...
http://www.zdnet.com/article/afp-mistakenly-accessed-journalist-call-records-breaching-metadata-l aws/
That and: 'mistakenly', my ass!
[ link to this | view in chronology ]
Interesting quote in ZDNet story
"The government does not believe that this is necessary, but is proposing to accept it to expedite the Bill."
Is there any legitimate purpose for police or government to spy on journalists?
[ link to this | view in chronology ]
Re: Interesting quote in ZDNet story
Yes. Being a journalist does not make one an angel. If journalists enjoyed absolute immunity from investigation, then it would make sense for career criminals to take a day job as a journalist solely for the cover it would provide for their illegal activities. There are legitimate purposes for the police to investigate anyone. However, that should not mean it is easy for them to do without oversight, nor should they do it without probable cause to believe that they will uncover evidence of a crime that, upon presentation to prosecutors, is likely to be pursued.
[ link to this | view in chronology ]
Re: Re: Interesting quote in ZDNet story
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Should've just stopped there.
[ link to this | view in chronology ]
Re:
"the AFP self-reported to the Commonwealth Ombudsman that we had breached the Telecommunications Interception Act."
...although I think the real story here is that the police in Australia still had enough moral fibre to admit to the mistake the moment they realised, and still have a regulation body that has enough teeth to ensure they do this. Both of these things should be lauded, even if you personally think the breach was minor.
Let me guess, you're one of the people who regularly rails against oversight and regulation here?
[ link to this | view in chronology ]
Re: Re:
My_Name_Here is simply obsessed with wielded authority. Possibly to a sexual degree.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
For every permitted use, there will be a proportional amount of abuse as a result. So for any governmental responsibility you have to find the point where the diminuishing returns of a wider permitted set of tools and actions no longer offset the drawbacks of the accompanying abuse.
[ link to this | view in chronology ]
How is this possibly an "accident"? The investigator accidentally requested call records? The investigator was so inept that they did not know it was a journalist?
I don't get how the "whoops!" defense can actually work here.
[ link to this | view in chronology ]
Re:
The investigator accidentally skipped the optional training session that would tell him/her not to do this, accidentally requested the full take data dump instead of the summary that is always available without a warrant, and accidentally checked the "exigent circumstances" box on the request form. The data retention agent accidentally overlooked all these mistakes and delivered up the data without even an "Are you sure?" confirmation. ;)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Not rights and privileges. We accept that they have more protections than everyone else.
We accept that police have a few legal and physical protections that ordinary citizens do not. This is necessary to protect them from the criminals they are tasked to combat. Elected officials often get extra legal and physical protections too.
To prevent abuse and corruption there are checks and balances. We accept that journalists are one of the big ones.
We accept that journalists can keep their sources secret, because those sources are often whistleblowers telling of abuse and corruption. We accept that because journalists speak truth to power, they and their sources need protection from that power.
Yes, the age of blogs casual journalism has blurred the definition of journalist. But that's only made the need to protect journalists more important:
Consider the movie Spotlight, about the Boston Globe's investigation of systemic child sex abuse in the Boston area by numerous Roman Catholic priests. It's been said that if the story happened today, it wouldn't have been reported. The newspaper, with a much smaller subscription base and ability to absorb legal expenses, would have backed down in the face of Church opposition.
[ link to this | view in chronology ]
Yeah, no big deal .... it's sorta like that dude who tripped, fell and accidentally impregnated that chic.
[ link to this | view in chronology ]
Re:
I'm not talking about the dude impregnating the chic.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The usual
Since it is the same government that will investigate and punish the actions of itself that means...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Reverse
[ link to this | view in chronology ]
The response
I am surprised TechDirt didn't mention the reply of the Attorney-General, Geroge Brandis in the story. His reply could be summarised as "meh". (This is the same guy who wanted to legalise racism, so the response is not a surprise.)
http://www.abc.net.au/news/2017-04-29/metadata-laws-need-reform:-expert/8482104
[ link to this | view in chronology ]
I mean, does an ISP know whether one of their customer accounts is a journalists account? Is there some magic account type that is flagged as a journalist account? When signing up for an account, is the customer expected to ask for a special journalist account? Or is it just some flag on that account that a journalist has to request the ISP to set?
Or does the ISP, or some global registration body, keep some register somewhere of who is a journalist?
What happens if a non-journalist then becomes a journalist (however that is defined), are they supposed to inform the ISP to get their account flagged? Or create a new special journalist account? Or register with some body?
So, when am ISP receives a 'regular' warrant, are they supposed to first verify whether the target is a journalist or not? Are they on the register, have a special account or a flagged account, or do they have to do some sort of investigation first - google searches, contact the target and ask them, what?
If there is no reasonable way for an ISP to know whether an account is a journalists account, then to them the warrant-type is pretty much irrelevant - they have a warrant, hand over the data.
OK, so whether there is a way or not for the ISP to know whether the account is a journalists account, how is the requesting officer supposed to know? I mean, if they suspect some person of some crime where they want the browsing data - probably automatically requested for any suspect for any crime no matter what it is (mugging, auto-theft, assault, causing a public disturbance, public urination...) that data is there so why not get it - how do they know whether the suspect is a journalist?
Again, is there some register kept, such that when they enter the name into the software that creates the warrant it automatically flags it as a journalists account for additional approval processes? Or do they have to specifically choose the "journalist metadata warrant" form type, therefore they already need to know so as to choose the right form?
Or, before requesting any metadata warrant, ever, for anyone, are they supposed to do some sort of investigation first into whether the suspect is a journalist or not?
I can see all sorts of problem with requiring any sort 'special' warrant for some specific class or classes of individuals.
[ link to this | view in chronology ]
Re:
1) preview (which now shows as signed out)
2) sign in - and get an error
3) hit back twice to get back to the preview
4) hit preview again which now shows as signed in
5) submit
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
It did not paint either side of Government in a good light, hence the laws sailed through quite quickly.
[ link to this | view in chronology ]