PAM, Mr Andrew, Board Member and Life Member, Electronic Frontiers Australia

[15:54]

CHAIR: Welcome. Although the committee does not require you to give evidence on oath, I remind you that this hearing is a legal proceeding of parliament and warrants the same respect as proceedings of the chamber itself. The giving of false or misleading evidence is a serious matter and may be regarded as a contempt of parliament. The evidence given today will be recorded and will attract parliamentary privilege. Did you want to make any remarks before we go to questions?

Mr Pam : No, I think the submission we have given is fairly clear in and of itself.

Senator FAULKNER: As I have done with other witnesses, I would like to explore with you the issue of the data retention scheme. I do so because this, perhaps more than any other issue, whether this is fair or unfair, is certainly generating a lot of public debate and probably at the moment is the most controversial of the proposals that we have before us. I read in your submission your own view of this. If I recall correctly, words like 'unprecedented threats to privacy' and the like come to mind. The question for the committee, of course, is, as I have said to other witnesses, about balancing individual rights, civil liberties and fundamental freedoms that we all hold dear with our responsibilities for national security and the safety of Australians. Do you see any way that a data retention scheme can be developed with adequate safeguards that effectively delivers on both of these critically important imperatives that this committee is looking at balancing?

Mr Pam : These are of course very difficult questions. Certainly, it is the case that both of those goals—the goal of preserving civil liberties and freedoms and the goal of addressing national security concerns—are important. They are goals that the government is tasked to accomplish. The difficulty is that there has to be a judgment on which things are achievable and at what cost. Ultimately, 100 per cent safety is not achievable and, for every additional degree of success in prosecuting national security or criminal issues, there has to be a commensurate cost that is weighed against that. Our concern is that, as you increase the amount of data retained, the period of time for which it is retained and the number of organisations required to retain it, you are inevitably significantly increasing not only the costs in the most literal sense of financial costs and so forth but also the degree to which society and the culture of our society is turned towards one in which there is a climate of fear and a climate of concern about being surveilled by the government and a lack of respect for the government and the rule of law, and those are all very serious civil liberties issues which are very difficult to effectively address. As we pointed out in our submission, similar data retention requirements in Europe are now being challenged on constitutional grounds and a number of countries because they are really very difficult to effectively address. We just do not see any adequate justification in the proposal as it is put before us now. It is not that it may not be possible to justify, but no evidence of any serious justification has as yet been put forward.

Senator FAULKNER: That is fair criticism. I have said before that there are no safeguards outlined. In fact, the detail about the proposal itself is obviously very limited. You stress in your submission that transparency and privacy are absolutely critical if such a proposal is to go ahead. Why have you focused particularly on transparency and privacy?

Mr Pam : Evidence has shown in the past that once a system of retention like this is in place there is a very strong temptation at multiple levels: at the organisational level, the temptation for an organisation to take advantage of things that make the organisation's job easier, and at the personal level, where an individual may have access, the temptation to abuse that access. History has shown that routinely—not every day but recurringly, over a period of time—breaches do occur. The mere introduction of any such system of retention immediately exposes one to a risk. The longer the system exists, if it exists for a period of decades, then over that time it is a near certainty that there will be some abuses of the system. And then you have to weigh up the consequences of those abuses against the potential good that has come out of having the system in place. It is sometimes a difficult judgement to make, but history has shown that there are known negative consequences of introducing these systems. I think we have to think very carefully before we go ahead and put these things into place.

Senator FAULKNER: Have you found generally in preparing your submission, which is very helpful from the perspective of this committee, that it is a challenge, given the lack of detail around many of the proposals?

Mr Pam : Absolutely.

Senator FAULKNER: I would be interested in your view, first of all, about lack of detail and, secondly, the breadth and range of the issues the committee has before us. I would be interested in your perspective on how much of a challenge that was, or if you found that a challenge in developing your submission for the committee.

Mr Pam : That is certainly the case. The time period was not enormous to start with; it was four weeks, then extended to six weeks, which was not a great amount of time. Then, as you say, there is enormous scope—and perhaps rightly so, in the sense that this scope of issues certainly needs to be addressed. The change of technology very clearly raises all these issues, and the broad scope of topics that are of concern to law enforcement and national security is a reasonable thing to attempt to address. But when it is presented in this form without any substantive detail as to how exactly these things will be monitored and how we can assure ourselves that there will not be abuses—well, we cannot—or at least how the abuses will be minimised and on whom the cost will fall, and that we have actually investigated the consequences not only for the immediate stakeholders but in terms of the general impression it leaves upon the public, it can be corrosive. It can be corrosive to a democracy when the view of the public is that they are living in a surveillance state. The extent to which we have looked into this is not very great at the moment, and that does concern us.

Senator FAULKNER: Whatever the shortcomings and drawbacks might be, the information that is available to you is, effectively—apart from some confidential submissions—the same as what is available to us. We will develop our report and any recommendations that that report contains on a level of supporting information and documentation that is very similar to what you have. This leads to a point I would like to make to you: of course it is possible—although not certain, by any stretch—given that the committee has been given this task, that the committee's report and recommendation itself will have some impact on the final draft provision of the legislation when it is finally tabled. Hence the responsibility we have to try to get this right. Do you have any perspective on that? How would you like to be placed in this position?

Mr Pam : Indeed! The purpose of holding inquiries is, one would hope, to get some feedback, to make use of that and to then consider it. I certainly hope there will be some impact. But it is already the case, I understand, that there have been requests to clarify and further develop the thinking on how this would progress. At the moment a lot of it seems to be very vague statements of things that would be nice to have, without any substantive detail. I think we have to develop it further, and I would regret seeing this enshrined in law without more detail being presented and available so that the public can view the trade-offs we are being asked to make.

Senator FAULKNER: We are not even at the point yet of draft legislation. I suppose we are at the point, as far as this committee is concerned, of making possible input as to how that might develop and evolve. That is all I could say to you. Perhaps that is not well understood outside these four walls.

Mr Pam : It is a useful step.

Senator FAULKNER: Sure.

Mr Pam : And I certainly appreciate that.

Mr WILKIE: Mr Pam, I am not sure whether you are the person to ask this question. Do you have a good understanding of the technical aspects?

Mr Pam : I do. I am a computer professional, having spent several decades working both as a software developer and as a system administrator. I have been on a number of technical committees, including the Internet Engineering Task Force.

Mr WILKIE: You are more than qualified to answer my question. I am keen to learn what is technically possible. We have learned today that phone companies keep billing data and so on, but when it comes to the web they just basically sell capacity; they do not record who you or I might send an email to tonight. They do not keep that sort of information. Can they keep that sort of information?

Mr Pam : That is normally the case, but there are a number of important caveats to that. Let us deal with emails first. When people receive emails, in almost all cases the mailboxes are stored at a service provider somewhere, which may or may not be the internet service provider—often it is, but it may be a separate mail service provider, such as Google, so that could be anywhere around the world. Almost never do end users have the mailbox on their own computer and have the mailed delivered directly to their own computer. That is almost never the case. It is possible, technically, but it is almost never done because of the sheer volume of spam. Something like 90-95 per cent of all email traffic is spam and most of it is removed on the network before it gets to you, thankfully.

Mr WILKIE: It is all sent to me.

Mr Pam : The amount we get is a fraction of the amount that is actually flying around. As someone who does actually operate a mail server myself, I can tell you that an enormous amount just gets knocked back immediately, before it even ends up in your mailbox. So the amount you see, which is enormous, is a fraction of the amount that is flying around. That is why people—

Senator FAULKNER: Can you organise more to be knocked back in my—

Mr Pam : I am trying to all the time. The consequence of that is that it is generally not desirable to operate that on your own connection. Normally, the mail arrives at a mailbox operated by some other party. That party does in fact have the entire content of all your communications because they are retaining it for you for your benefit. So, at the very least, that party will have all that information on hand. In many cases, that party may indeed also be your internet service provider. It is quite common to have a mailbox provided by an internet service provider. In fact, you may have multiple mailboxes. You may or may not make use of them. I, for example, use Internode as a service provider. I have a mailbox that Internode provides, and I use that mainly for the marketing messages and information messages that they provide to me. I do not use it for routine mail. Certainly, the consequence of that is that it is stored within Australia by my internet service provider and is accessible to law enforcement. In fact, all emails, unless I proactively delete them, will be retained there indefinitely. So there is potentially an indefinite record.

People's practices vary widely but my experience as a mail service operator is that many people do not routinely delete old emails. I have clients who have emails dating back to, say, 2004 sitting there in their mailbox. There are even emails that they have put into the trash. They have not emptied the trash—again, it is sitting back there for a decade or so. So those are routinely stored and would be available to a warrant or whatever. That is already the case now—but that may not be onshore; it may be at Google or elsewhere. So it varies.

As you said, it is not normally stored in transit because of the burden of doing so. There would be a massive storage burden and there is no reason to do so. It may be analysed in transit as part of an attempt to block spam or whatever. It may be retained very briefly during the analysis process and that could be in the order of seconds or minutes or even hours or, in an extreme, potentially even days but not longer than that. I hope that answers the email side of that question. Feel free to ask a follow-up, of course.

I will go to the web side of the question: web traffic is again generally between the end user and a multiplicity of websites. The operator of those websites of course has a record of all the communications of all the people who have communicated with them, and that may or may not be encrypted. There is a now movement towards using more encryption for security reasons because unencrypted web traffic causes difficulties in avoiding various kinds of hijackings and other things. There is also a possibility of intermediary proxies of various kinds purely for efficiency reasons. For example, I choose to operate a proxy in my house to minimise the amount I pay for my internet service because frequently my wife and I access the same website or I access a website and then come back and access it again the next day. I have a computer with a hard drive that intercepts all of my web requests and checks if it is already has the information on hand, and that saves me maybe 20 per cent on my bill.

Most people, apart from tech savvy people, would not do that, but it is quite likely that an internet service provider might do that in some cases without necessarily making customers aware of it. It might be what is called a 'transparent proxy', in which case the customer does not have to choose the use of that proxy—their traffic is automatically proxy. There are also various accelerators, particularly for massive distribution of large amounts of content, in sporting events and things like that, and again Google has a huge amount of traffic. They have multiple servers geographically located as close as possible to the consumers so, even though you think you are making a request to a single website, it may in fact be intercepted and sent to some closer and more convenient server. That could result in records being retained in additional locations. Again, those will be retained usually for management and technical reasons, and they could be retained for some period of time.

Again, encryption tends to prevent that. But, particularly for employees, for example, a lot of companies would intentionally require their traffic to be decrypted, sent through a proxy and then re-encrypted. The employer would then be able to retain records.

Mr WILKIE: Can I just jump in here. Is the bottom line that it would be technically possible for the Australian government to direct Australian internet service providers to collect some of this information you have described? And what about someone going to foreign websites or even foreign internet service providers—what happens there?

Mr Pam : That depends on various different layers of how they are going about it. Ultimately, if a person is located in Australia then the traffic is in some sense passing through Australia. At the barest minimum, even if they are using some sort of satellite internet, it is passing through Australian airspace using radio waves licensed under Australian regulations. So there is always some layer of access. More commonly it is through wires that are owned by some organisation that has some Australian footprint.

On modular encryption, which is an issue, the short answer is that it is probably possible in most cases to institute a technological regime that would be able to capture anything and everything. Certainly it is the case that countries like Iran and Iraq, and China to some degree, are attempting to put exactly that kind of system in place. There are significant downsides and significant costs with that and it is not at all clear that we would want to be the kind of country that puts ourselves on that footing. But technologically I think the answer is that it is possible, with caveats and with costs.

Mr WILKIE: That is the bottom line I was pursuing—it is technically possible for the government to implement a regime that would harvest and store an enormous amount of data, including information on who a person is sending an email to or getting an email from, and conceivably even storing the content of those emails, if they wanted to go down that path, to go that far. It is technically possible.

Mr Pam : Yes, in general. Particularly with the use of strong encryption, there are mechanisms that would help to bypass that to some degree. One of the things we have pointed out in our submission is that, the more interest people have in disguising information and hiding from surveillance, the more difficult it becomes to capture that information. So the likely result of putting such a regime in place is that one would generally capture everything except the information that is of most value. One would tend to impose significant costs and capture a great deal of traffic from people who are not the most motivated. But there are mechanisms that the people who are the most motivated can take that make their information very difficult to intercept.

Mr WILKIE: So it is quite conceivable that the government could put in place a very tough regime but it could be avoided by those who are a little bit tech savvy.

Mr Pam : Those who are highly motivated, yes, and who are either tech savvy or have access to that information. That is another difficulty—once the information is available, unless you put in place very strong censorship, people can, even if they are not themselves that tech savvy, do a search saying, 'How do I prevent my email being intercepted?'

There are tools being created. Even, for example, the US government has funded tools to help people who are in repressive regimes. It publicises that quite widely, so you can go and look up the software that has been made available by the US government to bypass repressive regimes and say, 'I think I'll use that.'

Mr WILKIE: If I pulled out my iPad now, how hard would it be for me to find out how to get around a tough regime, or to get around the sorts of reforms that the government might be considering?

Mr Pam : It is always a question of exactly how significant the surveillance that you are trying to evade is. As with any security measure, the rule in security is that nothing is 100 per cent. You always have a certain degree that you can achieve and a cost that you are trying to minimise. If you are trying to make something secure, you say, 'What are the attackers' resources that I am willing to protect against?' A lot of security on the internet is rated against drive-by attacks, because those happen all the time. Some of it is secure against highly motivated organisations, but very little of it is secure against people who have millions of dollars to spend. If a government is willing to spend on the order of millions of dollars worth of computing power, it can intercept even strongly encrypted traffic. The suspicion has always been that, for example, the National Security Agency in the US has enormous resources and potentially can intercept even very strongly protected material if it is very strongly motivated to do so, and it is very difficult to protect against that. But certainly anything less than significant amounts of computing resources can be relatively cheaply and straightforwardly protected against.

Mr WILKIE: Putting aside the capabilities of the government agencies, do the ISPs like Telstra have the know-how, in your opinion, to crack commercially available encryption?

Mr Pam : Know-how, yes. Resources is another question. Certainly anybody with any technical education would have both the knowledge to encrypt information to protect it and the information on processes commonly used to crack that. The thing is that generally these things are designed to be asymmetric, so the amount of resources required to crack encryption is significantly more than the amount required to encrypt in the first place. A telco could, of course, also crack and intercept traffic, but the usual way that this is done is, as I alluded to earlier, that employees are often required to consent to their employer explicitly putting in place a system which intercepts and decrypts any encrypted traffic. That is done by having a system—which is now sold routinely as a commercial product—that allows you to create your own keys that purport to be the end point of communication. Let us say I wanted to have a private conversation with Google in order to pick up my Google mail. You can buy an off-the-shelf product that sits at your employer's data centre and has a fake key that pretends to be Google. I am required as a condition of employment to accept any and all fake keys signed by my employer. So I have what appears to be a secure conversation with what appears to be Google but is in fact my employer pretending to be Google. It then gets analysed in whatever way my employer wishes and then is re-encrypted correctly in the normal way with Google's real key. So of course a telco could use the same equipment, but the difficulty there is that people would have to accept the telco's fake keys, and they would not normally choose to do so unless somehow obligated to do so, and then of course there would be an incentive to bypass that somehow if possible.

Mr WILKIE: Okay. My head is well and truly spinning, but I think we have come across a very important point in all that about the effectiveness of anything the government might do.

CHAIR: I have a follow-up question on the same lines, inspired by Mr Wilkie. It is not a fleshed-out proposal, but let us say telecommunications carriers then harvest or keep this data. Say there is a scheme that says that we need to keep all the data for two years. How easy would it be to access it?

Mr Pam : Yes, that is one of the concerns that we have expressed in the submission. The problem is that, first of all, it is not generally the case—much to the concern of security experts everywhere—that people have good security practices, as we constantly find. The bare minimum of security practices that security experts will recommend is that you keep sensitive data encrypted normally when not actually in use. If you keep it backed up or on a CD for transport or any of those kinds of things, the backed-up form or transport form of that data, where it is not in active use, should be encrypted. In the event that it falls into the wrong hands or is lost in the mail or whatever—and these things do happen: laptops get stolen or lost on trains and planes—you would hope that that information is encrypted so that it cannot be used by the first person to pick it up. Sadly, even that does not often happen. So this is a real concern.

   Again, there are costs to deploying this sort of regime, and a lot of companies do not do it right or do not to it adequately; or their employees are not rigorous about it—or whatever. It is a real concern. Of course, you could legislate for that, and you could say that there are protective requirements, that telcos are required to ensure that their information is adequately protected against loss or theft. Again, there are costs to that—they have to deploy the necessary technology, they have to train the staff, they have to ensure that those requirements are adhered to. There is going to be a cost in deploying the system in the first place; to deploy it securely adds additional costs. But I think we should be requiring that.

CHAIR: Thinking about all the many terabytes of information that would be stored, again, it looks like, according to what we understand—and that is a limited understanding—that that would be at the behest of the carriers, so it would be the carriers that would be responsible. How secure would that information be?

Mr Pam : As I said, you would hope that there would be some decent measures taken—and possibly even a requirement that decent measures be taken. But there are two kinds of security issues that I immediately see: one is the leakage or loss of control over the data in the first place; and the second is access to and understanding the contents of that. So the first question is: can people walk off the premises with it, or download it from the premises—whether it be physically or over the internet—and the second question is: having obtained that data, is it in some way protected or can they immediately access it and make use of it?

This becomes an even greater concern when you start to cross-link. This is a very serious concern now—that, even in cases where information was not at first thought to be privacy-infringing, linking it with other information can in fact lead to privacy infringements. There was a very embarrassing instance, where I think it was America On Line released anonymous search results for researchers, and it was soon discovered that with a bit of analysis you could actually identify specific people and specific searches they had made. So it turned out not to be sufficiently anonymous and not sufficiently private. That does happen. So it is not just about a single breach but, if the people who have their hands on that information can then link it with other information, it can rapidly worsen the situation.

So how do we ensure that, having put such a regime in place, and that this data is being retained, it is in fact not going to fall into the wrong hands? Well, in fact that is a very difficult question. As I said earlier, it is not only external attackers; it is also misuse by internal staff—and, furthermore, by the organisation which, for internally legitimate reasons, have decided are scope-creep: 'We have this on-hand; what else could we use it for?' So all of these are very serious concerns. Of course, you can try and put more wording in that says that certain things can, must, should be done or not be done; but that complicates legislation and is also more fragile and difficult to keep up to date with changes in technology.

CHAIR: Thank you. Are there any further questions?

Senator FAULKNER: I knew all that, by the way!

CHAIR: Yes, exactly—techno-geek here!

Senator FAULKNER: I speak in jest. That was very helpful.

CHAIR: Thank you very much for your evidence; we certainly appreciate it. It certainly helped to eliminate some of our thinking on this. If we have any further questions, we will write to you, but thanks again for both your submission and your evidence, which were very comprehensive. We appreciate it.

Mr Pam : Thank you very much.

Resolved (on motion by Senator Faulkner ):

That this committee authorises publication of the transcript of the evidence given before it at public hearing this day.

Committee adjourned at 16:23