Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Legal and Constitutional Affairs References Committee
02/02/2015
Comprehensive revision of the Telecommunications (Interception and Access) Act 1979

LAWRENCE, Mr Jon, Executive Officer, Electronic Frontiers Australia

[10:34]

CHAIR: Welcome to the hearing. You have probably got this little spiel memorised by now. Thank you for talking to us today. Do you wish to make a brief opening statement before we go to questions?

Mr Lawrence : I do. As you would be aware, I appeared before the Parliamentary Joint Committee on Intelligence and Security on Thursday. I wish to repeat some of the points I made to them, just for the record, and I have also got reflections on some of the other evidence from Thursday and Friday that I would like to share with the committee.

Firstly, Electronic Frontiers Australia—or EFA—have been advocating for the promotion and protection of civil liberties in the digital context in Australia since 1994. We are an independent, member-based national association. Just for clarity, because I realise that some representatives of the Electronic Frontier Foundation are appearing later today, I would like to point out that although EFA and the EFF are very close friends—we were founded at a similar time for the same general purposes and share many of the same motivations and objectives—EFA and EFF are independent bodies and are not in any way formally linked, although we have an excellent working relationship with them.

With that clarification out of the way, EFA believe that an indiscriminate, society-wide, mandatory data retention scheme as is being proposed by the government in the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 is an unnecessary and disproportionate invasion of the privacy of all Australians. We also believe that such a scheme subverts the principle of the presumption of innocence by collecting information about every single Australian's online and telephonic communications, regardless of whether they are a suspect in any criminal activity or not. Further, as I think you have heard, it will add significant cost to a range of businesses, it has the potential to reduce competition, particularly in the internet services sector, and to potentially drive up internet costs for all Australians. The legislation will also create the potential for serious harm to Australians should the enormous databases of personal information that will be created be misused or compromised. EFA believe that should this legislation proceed, it will not be a question of whether some of this information is compromised or misused, but rather when and by whom. As I pointed out to the committee on Thursday, the only truly secure data is data that does not exist.

One other element that has been given some coverage is the fact that this particular retention of source IP addresses for long periods of time will create a great deal of interest for civil litigants, particularly those involved in alleged copyright infringement as well as a whole range of other matters that obviously are well outside the scope of national security and criminal activity.

EFA is one of more than 400 civil society organisations from around the world that have signed on to the international principles on the application of human rights to communications surveillance. We draw the committee's attention to those principles, which are available at the website necessaryandproportionate.org. EFA believe this legislation falls well short of these principles and should therefore be withdrawn. We would point out, however, that we are not in any way opposed to targeted surveillance with appropriate safeguards and oversight. We support the important and necessary work that our law enforcement and intelligence agencies perform on a daily basis; however, we believe that the existing powers available are sufficient for them to perform this work.

We have some genuine concerns and we are completely unconvinced about the efficacy of mandatory data retention regimes generally, and I will cite two examples. In the United States in January 2014, their Privacy and Civil Liberties Oversight Board examined, at President Obama's request, the metadata program that is in place there and found little evidence to suggest that it had made the US any safer. Perhaps even more definitively, in 2011 the German parliament's legal service studied their experience. The German experience is unique in the sense that they had the ability to examine the situation before, during and after a mandatory data retention regime as theirs was introduced and then withdrawn when ruled unconstitutional by their constitutional court. That research found that their mandatory data retention regime had increased crime clearance rates by only 0.006 per cent, which I think is as statistically close to zero as one can probably get.

There is one element of the legislation which EFA does support, which is the move to restrict the number of agencies that are given warrantless access to communications data. EFA believes this is a necessary and urgent reform, which was recommended by the Parliamentary Joint Committee on Intelligence and Security in its report during the last parliament. EFA would, however, like to see that particular recommendation enacted in full, which is not just to restrict the list of agencies that could access data but to actually increase the threshold relating to the seriousness of the offence for which it could be accessed.

EFA's graver concern about this legislation, however, is that it fails to even define the dataset to be retained in the legislation. EFA firmly believes that defining the dataset by regulation, as has been proposed here, represents a serious undermining of the role of parliament and will enable the scope of the dataset to expand without proper security. History shows us only too clearly that schemes such as this almost inevitably expand in scope over time, and I think the evidence from the Attorney-General's Department on Friday suggested that that is very much the intention.

EFA is also entirely unconvinced by the proposed two-year period of retention and is unaware of any real evidence that suggests this time frame is in any way justified.

One point that became clear from the evidence to the intelligence and security committee last week is that, as all three primary telecommunications providers—Vodafone, Telstra and Optus—confirmed to the committee, they actually have no plans to reduce the communications data that they currently retain. Now, given that the primary justification for this legislation was the concern on the part of law enforcement and intelligence agencies that they would be losing access to data they currently have, I think that is a rather telling point, as it does tend to undermine that primary justification for this legislation.

Another thing we learnt last week was from the police witnesses who appeared. They almost universally testified that, essentially, accessing metadata has become an entirely routine element of criminal investigations and that the volume of requests that they process therefore means that any form of prior independent oversight would be completely unworkable. This is not, of course, a justification; rather, it is a function of the fact that the data has been readily and easily accessible for far too long. The assertion that some sort of prior judicial oversight would be unworkable is really rather circular logic, I think, and is further undermined by the fact that there are 11 countries in the European Union that have such a form of prior judicial authorisation for access to metadata.

The final point I would make, picking up some of the points that we heard in the testimony of the previous witnesses, is that there are enormous gaping holes in this legislation which will, we believe, largely make its effectiveness very limited, in the sense that, as Senator Ludlam has already picked up, 'If I want to avoid this type of retention, I can simply use third-party services provided from overseas; I can come to a public, unsecured wi-fi service,' such as is offered in this building or in universities, or in downtown Canberra, which right now has such a service.

So we would argue that the reality is that the intention of this legislation will be very, very easily circumvented, while the remainder of law-abiding Australians will be caught up by it and their data will be retained for long periods of time and, potentially, at risk of misuse. Thank you.

CHAIR: Thanks, Mr Lawrence. Who would like to kick off questions? Senator Reynolds.

Senator REYNOLDS: Thanks very much for your testimony today, Mr Lawrence. I want to pick up on that last point in terms of the potential misuse of metadata. We have had some conflicting testimony on this over the course of the inquiry. I do not know if you heard us discuss this before, but in terms of the meta data itself how easy is it to access? In terms of these datasets that we are looking at retaining under this legislation, we have had evidence that they are not very attractive to criminals because they are obviously after credit card and personal details for identity fraud and other purposes but the meta data itself is difficult to access, very difficult to consolidate and make any meaningful picture out of, considering alternative sources of information about people's habits and things. I am wondering if you could talk to us a bit more about who you see being interested in the retention of this information and going to the effort of accessing it, make sense of it and then use it.

Mr Lawrence : I think there are a few different answers to that. One is we know from Edward Snowden that analysts within the National Security Agency routinely use this sort of information to stalk potential and current lovers. They even had a term for it. They called it LoveINT. There is always going to be a risk from people with authorised access using it in an unauthorised manner. Every institution has its bad apples, corrupt elements, compromised elements and so forth so there is always going to be that risk.

Senator REYNOLDS: Which is an internal security risk for people who store it. They need to make sure that people who have access to it are authorised for appropriate purposes. So that is internal use.

Mr Lawrence : Yes.

Senator REYNOLDS: So that is not people who have hacked in.

Mr Lawrence : No, but is still obviously misuse and in a sense that is probably the greatest risk.

Senator REYNOLDS: Say I work for one of the ISP providers and I want to track my partner's movements or location. I guess the easiest thing would be to look at Facebook or get one of the tracking applications for people's mobile phones, but what about in terms of accessing this data and then putting it together? We have had various analogies about how much data you need and about the technology needed to put it together and make sense of it. If I were working in one of these organisations how would I go about doing that?

Mr Lawrence : I guess to a large extent that depends on your role, your level of technical expertise and your level of access. You are always going to have to have highly skilled technical experts to oversee any database.

Senator REYNOLDS: I think this is an important point you have raised, so I want to pursue it a bit further. For example, if someone is accessing phone calls are they accessing the meta data or are they accessing content? Obviously the distinction is very important because we are talking about meta data here not content. Are internal breaches to track see who their partner has been texting or what he has been texting? Are you talking about internal breaches of content or meta data?

Mr Lawrence : I am not really qualified to answer what type of content is stored. I suspect that in some cases content in the form of text messages may be stored, but I am not aware that telcos would routinely record the content of phone calls without some form of surveillance warrant being in place for that. I think it is important to remember that this meta data can in many ways be more invasive than the content of communications itself. There is a very infamous quote from Michael Hayden, who was at different times director of both the CIA and the NSA. He said, 'We kill people based on meta data.' The European Court of Justice in April 2014 ruled the European data retention directive is invalid and made this point very strongly as well. They said that while collection of communications data:

… may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environment.

So, if you think about the fact that you can get all of that sort of information and piece that together without listening to a single piece of content, in a sense listening to content is time consuming; it does not necessarily give you facts, because people lie—

Senator REYNOLDS: Mr Lawrence, I understand all that and I am not disputing what you are quoting other people to have said. But perhaps I will bring you back to the security issues. You have indicated concern about unauthorised access. The first one you have raised is 'internal misuse', so staff within an organisation that stores this information. But what I am trying to work out is the threat of the access by staff working for the telco accessing the metadata and, if they do, what use that is to 99 per cent of workers who work in a company, or is it the content? The distinction between that is a very important issue in terms of what we are looking at now.

Mr Lawrence : The stalking example is a particularly obvious one, I think. If I am concerned about something that my current, potential or former lover is doing, the ability for me potentially to see what phone numbers they are calling, when they are calling them, where they are at certain times I think is actually very powerful information.

Senator REYNOLDS: We have not moved on to anything else; this is still the internal misuse. You are saying that people within a company who have access to this metadata could use it for their own purposes, and not just the content? Is that what you are saying?

Mr Lawrence : Correct, yes.

Senator REYNOLDS: So we have the internal misuse, which is an internal security issue. What are the other categories of access that you are concerned about in relation to the metadata?

Mr Lawrence : Clearly external penetration and compromising the database is another real risk, and we see examples of corporate databases being compromised almost every day. There was a large case recently, which you may be aware of, from Aussietravelcover, I believe it was called, where some hundreds of thousands of Australians with travel insurance had their information compromised through an external breach, I believe. What is interesting about that case is that the company in that case made a conscious decision not to inform the affected customers about it, and that brings up the issue of whether we need a mandatory data breach notification law, which very nearly passed the last parliament and I believe is before the Senate now.

There is one other point I would bring up. I point to some of the testimony that the gentleman from Telstra gave on Thursday. He was asked a similar question and he said that, at the moment, getting access to metadata and putting it together in a way that can help you get a picture of somebody's life within the Telstra system would take a great deal of technical knowledge, of understanding where things are, because they have a whole range of legacy systems and different databases and so forth. But his point was that this legislation would essentially require them to start collating that information together in one central database, where it is therefore, almost by definition, much, much easier to interrogate and much, much easier to penetrate and misuse. I think that is a pretty telling point, because I think you are right to one extent in the sense that you do need a fair bit of technical knowledge to access this information; but, as the gentleman from Telstra said, there is a good chance that what we are doing here is making it even easier to compromise and misuse and understand.

Senator REYNOLDS: Then it comes down to an issue of security, both internally and externally?

Mr Lawrence : Yes.

CHAIR: Thanks again, Mr Lawrence. One of the issues that you have gone into in quite a bit of detail in your submission, but which I do not think has been well canvassed to date, is circumvention of data retention. To my mind this may go to why the crime clearance statistics in Germany or the inquiries that were conducted in the United States into the fact that it did not help national security might come down to the fact that it is trivially easy to either accidentally or intentionally circumvent. I wonder whether you might take us through section 6 of your submission. You talk about incidental circumvention of data retention—that is, accidentally rendering yourself outside its scope. Do you want to talk us through how that can happen?

Mr Lawrence : Certainly. I think you actually covered this with the gentleman from the Communications Alliance just before. There are—

CHAIR: You guys were more systematic. I was just taking shots in the dark.

Mr Lawrence : Fair enough. There are four quite sensible reasons, quite big exemptions from this legislation, which effectively include most forms of what we might call public wi-fi. That includes the Parliament House service, which many of you may be using right now which of course requires no login, just terms and conditions; internet cafes; schools; libraries; universities; and train stations. The Greyhound bus to Sydney offers a wi-fi service. None of these are going to be forced to collect any information and, in a sense, many of them are not in a position to because they require no logins. So the only real information you can determine in that context is what is called the mac address, which is a physical address associated with a particular machine. The only way you can then connect some activity on that network with that machine is by physically having access to the machine. So there are big issues there and we have spelt out a few here.

There is the situation where somebody using wi-fi at a hotel, which of course is something that people do routinely every day, might use one of these extremely popular services such as Gmail, Skype or iPhone Messenger and so forth which are not in any way covered by this legislation, and I suspect it would be very difficult for Australia to do that even if we chose to. So there is a whole range of issues there where people are able to essentially communicate without being trapped here.

There are other issues around use of VPNs, which are standard issue in the corporate and government world for secure access to networks. They are also very popular these days for people who wish to get around geographic blocking for content services and they are also, I believe, routinely used by sophisticated criminals and other people of malicious intent to obfuscate their location and communicate securely. So there are a number of issues both with intent and without intent.

The point there is that essentially those people who have any degree of technical sophistication will find it very easy to circumvent the intent of this legislation. Again, we end up with a situation where information is being collected in bulk on the vast majority of law-abiding Australian citizens with no real, potential, demonstrable effect on catching serious crime.

CHAIR: Which might have some bearing on the statistics you quoted at the outset that in the jurisdictions where this regime did exist for a period of time it had no discernible impact. Then there is active circumvention of data retention. This goes more to people who are deliberately, for legitimate or illegitimate purposes, trying to hide their tracks. What is your understanding of where the technology industry is heading over the next couple of years? My instinct would be we will start to see much tighter encryption by default and devices and services simply not recording metadata so it is not there to subpoena. Do you get a sense of where the technical community is heading on some of this stuff?

Mr Lawrence : I think we are already a long way down that path. There has been a very significant shift since Edward Snowden's revelations that has moved technology providers, particularly the large US based providers who are very conscious of the fact that they need to rebuild trust with their user base. I believe Google is working on an end-to-end encryption for its Gmail. WhatsApp was mentioned earlier. That is one that has come out and said, 'We're encrypting everything and storing nothing.' There is a whole range of services and devices now which are being targeted at people who are concerned about having their communications monitored. Whether that is by government or by anyone else is another matter.

But I think that, in a sense, what we have seen here, particularly from the National Security Agency, is something of an own goal in the sense that, by effectively overreaching so far into people's lives by doing things such as actively undermining encryption and other security technologies, they are not only making the US and citizens of other countries less safe but also having a dramatic impact on their own commercial success. I have seen figures about the US cloud services market showing that it has taken a hit worth billions of dollars in lost business since the Snowden revelations because people simply refuse to use those services anymore. We see countries like Switzerland, Iceland and various others now starting to market themselves as safe data havens, as it were. So I think there are real issues here about internet usage generally, and I think we need to understand that, if people are aware that there is ubiquitous surveillance going on, it really will change their behaviour in ways that may not be in this country's interests.

CHAIR: And there is some evidence that that is already occurring. In your submission, unlike some others, at section 1.1 you talk about interplay with foreign surveillance. We have not taken a huge amount of evidence from international witnesses, so we have not dwelled here. Mostly we have been looking at reforms that are available to us in Australian law, but maybe I will draw you out a little bit on how Australian law or Australian telecommunications services interact with those revelations and with the fact that we are a partner in this Five Eyes alliance with the US and others. We are talking about whether Skype or Gmail, for example, would be available to an Australian data retention scheme. Probably it would be out of scope, because that stuff is hosted overseas. However, we do know that the US NSA has been vacuuming not just metadata but tonnes of content as well and dumping it off in various facilities. So what would you propose for Australian lawmakers, given that that is the international technical context, to protect ourselves against that kind of behaviour, given how deeply we are implicated in it? That is just an easy, trivial one for you!

Mr Lawrence : Yes, thanks! I think it is very unfortunate that this and the previous government have been so reluctant to discuss issues around this. I think it is pretty unhelpful just to play the 'we don't discuss surveillance matters' line and to not engage with issues that are already in the public domain. We have seen pretty serious inquiries in the US and the UK which have looked at actual activities of their intelligence agencies, and I think this country deserves a similar review. What we do seem to have some evidence of is that the Five Eyes is in some ways a process for ensuring that there is fairly comprehensive and ubiquitous surveillance of each country by the others. So, while the US, for example, has strict rules—even though these were clearly flouted by the NSA—protecting the interests of US citizens from surveillance, there is no reason not to suspect that those citizens were being surveilled, for example, by the Canadians and that the information was then swapped back. We know that GCHQ in the UK was particularly keen on doing this, and I cannot see any evidence to suggest that Australian and New Zealand intelligence agencies would be any less enthusiastic.

Of course, we have the information from Edward Snowden, which we mentioned in our submission, about the offer from the then Defence Signals Directorate to provide 'bulk unselected, unminimised metadata as long as there is no intent to target an Australian national'. They were just prepared to hand that over to their Five Eyes partners without any further ado. As we said, it is therefore possible, if not probable, that Australia's agencies have been collecting, spying and supplying complete contents of Australian communications to foreign partners for many years. That, we believe, is a significant issue. Again, as we said, there really is a lack of information here. I would personally like to see this parliament have a much greater scrutiny role over the operations of our intelligence agencies. I think the intelligence and security committee could have its powers increased in that area, as I believe is being proposed. We would probably support that.

CHAIR: Just finally from me: you mentioned almost as a throwaway line before that you were concerned that people faced with the scope of ubiquitous surveillance change their behaviour whether they know they are being monitored or not. This is not necessarily active surveillance; it is even the act of passively recording everything that they do. What evidence is there for that? And what kinds of behaviour changes have been observed? What could that look like?

Mr Lawrence : There are some obvious ones such as increased awareness of, interest in and use of things like encryption and encrypted tools. It is certainly something of which there is now pretty clear evidence out there in the community. I have seen research that suggests that certain search terms have declined in usage since the Snowden revelations—terms particularly relating to intelligence and terrorism and similar things. People are just not doing those searches anymore, because they are maybe aware that those searches throw up red flags in a particular database and could in the worst possible circumstance lead to them getting on a no-fly list or something extreme like that. There is some evidence there. I believe there is some evidence from Germany, which, again, looked at the period during which they had a mandatory data retention regime and which suggested that people were changing their behaviour in terms of technology use and so forth.

If people lose trust in the internet and telecommunications then will have some real, potentially dramatic financial implications for the banking sector, the delivery of government services and, obviously, freedom of expression and the operation of our media. I think we heard the MEAA say last week that, in their belief, this legislation would make it impossible for the media to do its job properly in this democracy. So I think we are dealing with some pretty fundamental issues here.

CHAIR: As there are no follow-up questions: Mr Lawrence, thank you very much for coming here today and for putting your arguments to us.