Australia’s data retention law – formally introduced back in March as the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 – has gone live. Thus, Australia’s entire communications industry has been turned into a surveillance and monitoring arm of at least 21 agencies of executive government (some listed in Appendix below). But don’t panic: there are precautions you can take – see below in Section B for guides and some tips. But, first, in Section ‘A’ we explain in detail how the new legislation can affect you if you don’t take these precautions.
A. How the ‘Snooper’s Charter’ works:
Back in March the Australian Government implemented the recommendations of the Parliamentary Joint Committee on Intelligence and Security’s (PJCIS) ‘Report of the Inquiry into Potential Reforms of Australia’s National Security Legislation’. This was done by amending the: Telecommunications (Interception and Access) Act 1979 as follows:
- requires telecommunications service providers to retain and secure for two years telecommunications data (not content);
- requires service providers to protect retained data through encryption and prevent unauthorised interference and access;
- requires the PJCIS to review the mandatory data retention scheme no more than three years after the end of the implementation phase;
- limits the range of agencies that are able to access telecommunications data and stored communications;
- establishes a journalist information warrants regime;
- restricts the agencies who can access this data;
- requires the minister to refer to the PJCIS any legislative proposal so as to amend which agencies can access the data;
- provide for record-keeping and reporting the use of, and access to, telecommunications data;
- and enable the Commonwealth Ombudsman to assess agency compliance.
- in regard to the Australian Security Intelligence Organisation Act 1979, to ensure that certain matters relating to data retention be included in the Australian Security Intelligence Organisation’s (ASIO) annual report;
- in regard to the Intelligence Services Act 2001, to enable the PJCIS to inquire into operational matters relating to the use of telecommunications data by ASIO and the Australian Federal Police and in relation to counter-terrorism functions;
- in regard to the Telecommunications Act 1997, to prohibit civil litigants from being able to access certain telecommunications data;
- and in regard to the Telecommunications Act 1997 and Privacy Act 1988, to make consequential amendments as needed.
For more, click here.
What all this gobbledegook means is that government agencies with a simple click of a button will be able to send a request to an internet service provider and retrieve information about who you emailed, where you were at the time, and what kind of device you were using – and data of this kind that is up to two years old. These measures will allow government agencies to find out what numbers you called, who you spoke with, where you were at the time, who you emailed, where you accessed the internet from, and what device you were using. And much, much more. And this applies to all Australians.
The dataset will generally consist of subscriber or account holder details, the source and destination of a communication, the date, time and duration of communication, your location and what services were used (e.g. voice, SMS, social media, Skype, and the type of delivery services – ADSL, Wi-Fi, VoIP, cable, etc).
Your mobile phone data includes your location as your phone interacts with nearby phone towers, so can be used as a tracking device, whether not it is turned on. And while a single phone call time and duration won’t tell anyone much about you, in aggregate communications data will reveal far more about you than content data. Indeed, agencies can accumulate a record of everyone you have called, everyone they have called, how long you spoke for, the order of the calls, and where you were when you made the call, so as to build a profile. It can reveal not just straightforward details, such as your friends and acquaintances, but also if you have medical issues, your financial interests, what you’re buying, if you’re having an affair or have ended a relationship, and so on.
Under the traditional definition of metadata, this information about our communications would include:
- the location that the call originated from, e.g. home address of the telephone, subscription information, nearest cell tower, etc
- the device that sent or made the communication, e.g. telephone identifier, IMEI number of the mobile phone, and other relatively unique data from the computer that sent a message
- the times at which the message was made and was sent
- the recipient of the communication and their location and device and time received
- information related to the sender and recipients of a communication, e.g. email address, address book entry information, email providers, ISPs and IP address, and
- the length of a continuous interaction or the size of a message, e.g. how long was a phone call? how many bits in a message?
When it comes to metadata, the Attorney-General’s department wants telcos to also store a few extra things, including:
• present and past subscriber name
• address information
• 64-bit IMSI ID and other network identifiers
• financial/billing information
• account state and billing type
• upload/download volumes on mobile devices
• upload/download allowances on the plan
• type of service used (network type, i.e. ADSL, 4G LTE)
Regarding internet usage (if these services are provided by an Australian operator):
- you rmail address.
- time, date, size and recipients of emails.
- file type and size of any attachments sent or received with emails.
- online chat time, date and the identity of those on the chat.
- How many uploads/downloads made and the size of each one.
- xccount details held by the ISP or telco provider, including when the account was activated or suspended.
See video on this:
The electronically logged data of mobile, landline voice (including missed and failed) calls and text messages, all emails, download volumes and location information will be mandatorily retained by Australian telcos and ISPs. Intelligence and law enforcement agencies will have immediate, warrantless and accumulating access to all telephone and internet metadata required by law, with a $2 million penalty for telcos and ISPs that don’t comply.
Over time, your metadata will expose your private email, SMS and fixed-line caller traffic; consumer, work and professional activities and habits, showing the patterns of all your communications; your commercial transactions and monetised subscriptions or downloads; and exactly who you communicate with, and how often.
And there are other provisions:
- The collected data must be retained for two years.
- Australian providers of email services will be required to keep records about each email sent and received by a subscriber, but popular overseas services like Gmail, Hotmail and Yahoo are exempt.
- Internet service providers supplying Wi-Fi to cafes, hotels, motels, restaurants, public and private transport will be obliged to retain data from those services.
- Records of all unsuccessful or untariffed communications must be retained too – including 1800 calls, missed or unanswered calls, emails or VoIP (voice over internet protocol like iiNet’s Nodephone) sent to a non-existent or incomplete address.
- Data retention obligations do not apply to internet and intranet services provided within corporate and university networks, unless they provide internet connections to visitors “outside their immediate circle”.
B. Taking steps to avoid privacy invasion
Here are some simple steps in the form of guides to avoid your privacy being compromised…
- Here is the Electronic Frontier Foundation’s ‘Surveillance Self-Defense: Tips, Tools and How-tos for Safer Online Communications’
- Here is an advanced guide on ensuring your PC is secure.
- Here is a copy (pdf download) of Encyption Works from Freedom of the Press.
- Here is Security in a Box (tools & tactics for activists).
- Here is ‘Me & My Shadow’ (explains how to minimise being watched on the Internet)
- Finally, here is The Intercept’s guide (long read, but easy) on internet security.
If blogging you may also wish to note the following 12 tips:
- Use different PCs for different functions (i.e. one for everyday use as ‘you’; another for blogging) with different ISP for each PC.
- For your blogging PC, ensure it is secondhand, purchased in cash using a fake name/address; that it is professionally stripped and reinstalled with a suitable operating system – e.g. Ubuntu or Debian (never use MS); that it is encrypted; and that you use a pay-as-you-go account to access the internet (again, paid by cash).
- Ensure your blog is hosted by a non-Australian firm (preferably based in a country with lax surveillance laws) and that all the blog’s privacy features are enabled.
- Always use Tor to access your blog and any social media accounts – e.g. Twitter – that is related to that blog.
- Never use your real name or refer to anything that can identify you on the blog or related social media accounts or in your blog searches; ensure social media privacy settings are applied.
- Ensure all docs/images/pdfs uploaded to the blog are created on your blogging PC and are stripped of metadata.
- Ensure cookies are disabled for the blogging PC, that sound and video are disabled (the in-built camera covered too) and that Flash is disabled (all features that can pass on information about you to sites).
- Avoid using any Wi-fi that can be used to identify you (e.g. that requires registration or is in an Internet cafe with CCTV).
- Do not register with search engines via your blogging PC.
- Use a VPN (doesn’t hide your location data, by the way) and, preferably, Tails on the blogging PC.
- Do not purchase anything online via the blogging PC that can identify you; never logon to your blog or associated social network accounts from any PC other than your blogging PC.
(Note: the above list is not exhaustive.)
Also, if you wish to associate an email account with your blog, select one which is not linked to an Australian ISP and has end-to-end encryption with PGP, open it under a fake name and use it for limited purposes. And if you can’t resist using a smartphone, bear in mind that location can still be tracked even with the phone switched off and the battery removed – so best not to have it at hand when blogging.
The list of agencies authorised to access this information without a warrant:
- ASIO (Australian Security Intelligence Organisation)
- Australian Border Force
- Australian Federal Police
- All state and territory police forces
- The Australian Commission for Law Enforcement Integrity
- Australian Crime Commission
- Australian Securities and Investments Commission
- Australian Competition and Consumer Commission
- NSW Crime Commission
- NSW Independent Commission Against Corruption
- NSW Police Integrity Commission
- Queensland Crime and Corruption Commission
- West Australian Corruption and Crime Commission
- South Australian Independent Commission Against Corruption
- Any other agency (public or private) the Attorney General publicly declares