Australian phone and Internet companies face new requirements for retaining customer records under a law that took effect on Tuesday.
The new policy requires companies to hold onto customer metadata—information about phone calls and email activity but not call recordings or email contents—for at least two years. The policy does not cover Web browsing activity like the URLs of websites visited.
The Australian parliament passed the bill in late March, despite objections from civil-liberties advocates and privacy groups who warned that the new policy would embolden illegal government surveillance. Metadata access requests do not require a warrant or any judicial approval.
“The way that the legislation is drafted doesn’t provide us with all of the detail about what exactly is required in all of their services.”
Lawmakers made limited efforts to address privacy concerns by requiring the Australian attorney general to approve metadata requests from non-law-enforcement agencies. Those agencies could previously access it directly. The Commonwealth Ombudsman, Australia’s national liaison between government agencies and private citizens, can also review metadata requests.
The law includes an exception to the warrant-free access for requests seeking journalists’ metadata in an attempt to identify their sources, but those warrant requests still occur in secret, much like the proceedings of the Foreign Intelligence Surveillance Court (FISC) in the United States.
“Customer data now sits in yet another honey pot, ripe for malicious attackers,” said Peter Micek, a senior policy counsel at the digital-rights group Access. “Civil society loses out when their contacts, call records, and more lay in wait for adversaries—whether the Five Eyes governments, or simply bureaucrats and telco technicians willing to abuse their access. Donor pools, overseas contacts, and conversations with vulnerable clients, such as asylum seekers, will now be exposed for business purposes much longer than necessary. Make no mistake: this data retention machine will chill speech.”
Nearly nine in 10 Australian Internet service providers say that they are not ready to implement the new retention policy, which requires them to submit retention plans that the government must approve and could force them to buy more servers to store the data.
“The way that the legislation is drafted doesn’t provide us with all of the detail about what exactly is required in all of their services,” John Stanton, CEO of the Australian telecom industry group Communications Alliance, told the Australian Broadcasting Corporation.
Former National Security Agency contractor Edward Snowden, whose stolen documents sparked a global conversation about government surveillance, inveighed against the new law on Twitter.
Beginning today, if you are Australian, everything you do online is being tracked, stored, and retained for 2 years. https://t.co/g8etUYgHGr
— Edward Snowden (@Snowden) October 12, 2015
Although metadata only consists of information about communications, those records can be enough to assemble a fairly clear picture of an individual’s online activities. For example, while phone calls to psychiatrists are not recorded, it is trivially easy to match a phone number that repeatedly appears in customer metadata to a psychiatrist’s office.
The role of metadata in U.S. surveillance programs prompted Congress to pass a law that restricted how the NSA could access those records, shifting the collection responsibility from the government to American ISPs. That law, the USA Freedom Act, does not require ISPs to hold onto metadata for a specified period of time, something that surveillance hawks have said they favor as a way of preserving records for investigations.
The Office of the Australian Information Commissioner is expected to release a public report on ISPs’ compliance with law-enforcement data requests in late October.
Update 1:53pm CT, Oct. 13: Added comment from Access.
H/T The Guardian | Photo via Global Panorama/Flickr (CC BY SA 2.0)