Mandatory data retention legislation is never a good idea, which is why EFF has vigorously opposed it in the United States, where Congress tried and failed to pass it in 2009. That year, two ill-conceived bills would have required all Internet providers and operators of Wi-Fi access points to keep records on Internet users for at least two years to assist police investigations. Nevertheless, governments around the world, individually, and in concert, continue to argue that the stockpiling of the private, personal data of entire populations become a global norm. It's a constant battle, but one with some clear victories, most notably in the European Union, and most recently in Paraguay. The latest setback in the global fight against data retention has been in Australia, which, despite widespread opposition from journalists, activists and the general public, passed a comprehensive data retention bill this month.
What’s wrong with mandatory data retention? Most ISPs and telecommunications companies give subscribers an IP address that changes periodically. Mandatory data retention proposals force ISPs and telecommunications providers to keep records of their IP address allocations for a certain period of time. This allows law enforcement to ask ISPs and telecom providers to identify an individual on the basis of who had a given IP address at a particular date and time. Government mandated data retention impacts millions of ordinary users compromising online anonymity that is crucial for whistle-blowers, investigators, journalists, and those engaging in political speech. National data retention laws are invasive, costly, and damage the right to privacy and free expression. They compel ISPs and telecommunications companies to create large databases of information about who communicates with whom via Internet or phone, the duration of the exchange, and the users’ location. These regimes require that your IP address be collected and retained for every step you make online. Privacy risks increase as these databases become vulnerable to theft and accidental disclosure. Service providers must absorb the expense of storing and maintaining these large databases and often pass these costs on to consumers.
And why is the Australian data retention bill particularly bad? Let us count the ways. The Australian Parliament passed amendments to the Telecommunications (Interception and Access) Act 1979 requiring telecommunication service providers to retain for two years certain telecommunications metadata prescribed by regulations. Don’t be fooled by the argument that it’s “just metadata.” Even if the content of your communication is protected, metadata can be extremely revealing. In the United States, former Director of the National Security Agency Gen. Michael Hayden has gone on the record stating “We kill people based on metadata.” It’s also implementing a data collection regime that has been soundly discredited in the European Union’s courts.
Ars Technica’s Glyn Moody writes:
The two-year retention period equals the maximum allowed under the EU's earlier Data Retention Directive that was struck down last year by the Court of Justice of the European Union for being "a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data."
The Australian government was able to win this vote with the cooperation of the main opposition Labor party when they added a requirement to use special "journalist information warrants" for access to journalists’ metadata. Those protections are laughably weak. For example, the law uses a very narrow definition of what constitutes a journalist:
A person who is working in a professional capacity as a journalist.
What’s missing from this definition? Bloggers, lawyers, policy advisers, and any number of other people who may write things that are critical of the government. Additionally, the data retention law explicitly outlaws “warrant canaries,” a novel strategy that some providers use to signal that they have not received a gag order, the theory being that if the signal is not renewed, that status has likely changed. Canary Watch currently tracks the state of warrant canaries for dozens of companies, ranging from VPN providers to reddit.
So where do we go from here? Even if mandatory data retention is the law of the land in Australia, that doesn’t mean the battle is over. It was the passing of the original EU data retention directive in 2006 that mobilized and fueled the growth of a new generation of digital rights groups across Europe, including Germany and Austria's AK Vorrat, the UK's Open Rights Group, and Digital Rights Ireland, whose lawsuit against the mandate led to its final repeal.
That fight took eight years; but it shows that overturning data retention is possible. The Australian Green Party’s Scott Ludlam, who has vigorously opposed the bill from its very conception immediately put out a statement vowing to fight: “Our work now turns to repealing this regime.” He also urged accountability for every MP that supports the regime, calling on Australians to contact Bill Shorten and his Labour colleagues and tell them “you’re unhappy with their decision to surrender our digital rights and privacy.”
The legal and policy fight against data retention may take time. But Australians can take immediate steps to protect themselves from mandatory data retention for themselves as well as protecting those who are most vulnerable to illegitimate surveillance with technology. EFF’s Surveillance Self Defense offers tips, tools, and how-tos for safer online communications, whether its protecting your metadata with a VPN or Tor or choosing the appropriate secure communications tools for your needs. The flimsy protections for a small subset of journalists in Australia's law will not be enough: everyone at risk from pervasive, long-term data collection will need to take steps to protect themselves.
Australians cannot be alone in this fight. Every nation – from the United States, Europe to Paraguay – that rejects data retention, strengthens the arguments in favor of rejecting it globally. Every country that falls prey to data retention law, from Australia to Brazil, encourages other states to press for it in their own legislatures. It's a global fight, and one that will require solidarity and a global alliance against data retention to combat it.