Nadia Kayyali and Jeremy Malcolm
Electronic Frontier Foundation
The Australian government announced new anti-terrorism measures this week, in response to the alleged involvement of Australian citizens with extremist groups in countries including Syria and Iraq. Quietly omitted from the briefing at which those changes were announced, but separately leaked to the press this week, were the government’s plans to introduce mandatory data retention requirements for Australian Internet Service Providers (ISPs).
The new measures remain shrouded in confusion—some of which is coming from its very proponents. There have been conflicting reports about whether users’ browser history would be hoovered up by the new surveillance laws. And in a now infamous interview, Attorney General George Brandis struggled to explain how retaining the addresses of websites visited was different than determining what content users were viewing. Prime Minster Tony Abbott also attempted and failed to make the same distinction two days later.
The government has attempted to clarify, emphasizing that the data retained would include the IP addresses of websites visited, as well as the times and durations of visits. Also included would be senders’ and recipients’ email addresses, IP addresses assigned to users, as well as details of phone calls such as caller and recipient numbers, caller location and duration.
This is still an extraordinary amount of information. And EFF has previously explained why metadata matters at least as much as the content of communications. Users can take no solace in the fact that content is not being collected. As former National Security Agency General Counsel Stu Baker said: “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.” Metadata includes information like who your contacts are, where and when you go online, and websites that you may legally visit that might be politically subversive, iconoclastic, or simply your own private business. But as a Stanford study earlier this year demonstrated, it can also reveal “medical conditions, firearm ownership, and more.”
So how is the government spinning this? One rationale for data retention sometimes heard in this debate is that ISPs collect some of this metadata already anyway for technical and billing purposes. But this rationale falls short—under Australian privacy law they are not permitted to collect personal data that they do not need, nor are they permitted to retain it for longer than they need it for the purpose of collection. That would all change under this new proposal, which may help explain why ISPs are expressing concerns and confusion about the potential mandate.
Although threatening, the proposal is not exactly new. Most recently it resurrects the subject of a 2012 discussion paper that recommended that ISPs be required to maintain the metadata of users for two years. At the time, a member of the current government, who was then in opposition, likened proposals for data retention to Gestapo tactics, and they were eventually dropped into the lead-up to the 2013 general election.
So if the proposals wouldn’t fly in 2012 under the previous government, why now—particularly in light of leaked documents from Edward Snowden that show the role Australia has played in the NSA’s invasive surveillance? The Prime Minister himself admits that the terrorist threat has not changed. Yet in a replay of the rushed introduction of similar laws in the United Kingdom last month, the new proposal could become law as soon as next month, before it has even been tabled for consideration of the Cabinet.
It appears the government is attempting to manipulate allegations of Australian citizens’ involvement in terrorist activities overseas, to justify a much broader and more intrusive domestic surveillance regime. It’s a cynical move, and one that the Australian public should not stand for.
For the latest news in digital privacy, please visit and support the Electronic Frontier Foundation.