Data retention means telcos risk Privacy Act breach, Pilgrim warns Australia's privacy watchdog Timothy Pilgrim has warned that indiscriminate metadata collection would place personal information at risk of privacy breaches. Under the presently broad and opaque proposal, telcos could be required to at least hold data on Australians that would link them to their internet protocol addresses in …
" . . . this data could be considered 'personal information' under the Privacy Act."
Could? I would argue that if it isn't considered 'personal information' already then it bloody well should be!
The fundamental problem we are facing is that our politicians and police just don't place very much value on our privacy. Whatever else, broad, 'drag-net' data collection on the public should be considered a very serious, very extreme and exceptional measure and thus only to be justified by the most extreme and exceptional circumstances.
I am not saying that the police don't need to collect data, because they do and I support that. But that ability already exists and is, in general, controlled by the issue of warrants. It is targeted and therefore is only undertaken where there is reasonable, qualifiable, suspicion.
'Drag-net' style surveillance takes, as a basic premise, the idea that everyone is a potential criminal. It doesn't matter what the government says - that is what it is. The only question we really need to ask is whether there is any threat serious enough to accept that.
The only possible way for this proposal to maintain even a semblance of proportionality is if the captured data is treated as even more sensitive and restricted than is currently the case. That means that ANY of the data - no matter how insignificant - can only be accessed with a warrant approved by a judge. Further, the warrant must specify exactly what types of data are accessible under the warrant terms, and how much history is allowed.
The specific data that is expected to be found must be identified (and this cannot be overly broad) and ONLY that data can be searched for. If it is not found then another warrant must be submitted, identifying the other data they want to look at. It should be shown that the data requested is essential and cannot be obtained in any other, more traditional way; this giant repository should be a last resort and not a convenient first-call.
Any person at all found to be involved in misusing the records will be convicted of a crime carrying mandatory jail time and be permanently banned from ever working in a public position ever again. Any data so gained will be expunged from the system entirely and be inadmissible in any legal proceedings. The person whose records have been accessed will be informed immediately and will have the option to press for compensation against both the institution involved (e.g. the police) as well as the specific personnel responsible.
Of course, the restrictions on the scope of data obtained should meet the verified needs so there must be special provisions for requesting large quantities of data or using open-ended searches against specific targets. Those requests must, however, be justified by the strongest need and so also subject to the strongest scrutiny.
Further, this data retention should be evaluated YEARLY, against the specific threats that were used to justify its implementation in the first place. That means, amongst other things, that, just like any project in a commercial environment, the reasons and proposed outcomes must be defined before the project starts and then continually evaluated as time goes on. If it is found that the project is not meeting its goals then it should be suspended immediately until a full review has been completed.
In other words, this proposal should be seen as a massive, unprecedented and extreme measure and so should only be justifiable by the most unprecedented and extreme situation. It should be controlled with a level of strictness and scrutiny that exceeds anything currently in place, just as the amount of data being collected and retained exceeds anything currently in place.
That said, I still do not support this - not at all - but the above is what must occur for it to be considered proportional.
And that's the problem - the government talks about the proposal being proportional to the level of the supposed threat but they should also talk about it being proportional to the level of the assured privacy concerns. If exceptional measures are required to meet an exceptional threat then (assuming the threat is actually that exceptional . . . ) likewise are exceptional safeguards required to protect an exceptional invasion of privacy.
In some variations on the theme, email headers were mentioned. Subject lines are a work composed by an author, and my understanding is that technically is covered by copyright laws.
If the government mandated retention of these emails, where does my right to control copies of my works fit into the proposal? It's somewhat ironic that the George Brandis was not that long ago banging on about illegal copying of content on the internet, and now wants to copy my content just in case I do something naughty in the next 730.5 days.
"I'm not pirating TV shows... I'm simply retaining copies in case they turn out to contain terrorism material and the police need them for evidence. I promise I'll delete it in 2 years."
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
