Australian Mandatory Data Retention Abused Just Weeks After Rules Are Put In Place

from the because-that's-what-happens-with-data-retention dept

We've been talking about Australian politicians' odd obsession with passing ever more draconian data retention rules for years now. As you may recall, the politicians pushing for this appeared to have absolutely no clue what it actually entailed. Just a few months ago, we wrote about reports about how Australia's data retention laws had been abused to spy on journalists and their sources. While some parts of the law went into effect a year and a half ago, it appears some parts just went into effect a few weeks ago. These new rules require every ISP to retain metadata on all online communications for at least two years. And... it took just about two weeks before the Australian Federal Police (AFP) were forced to admit that it had used the info to spy on journalists (again). They insist this was a mistake, of course.

"Earlier this week, the AFP self-reported to the Commonwealth Ombudsman that we had breached the Telecommunications Interception Act. The breach ... related to an investigator who sought and was provided access to the call records of a journalist without the prior authority of a journalist information warrant," AFP Commissioner Andrew Colvin said on Friday afternoon.

"No investigational activity has occurred as a result of us being provided with that material. Put simply, this was human error. It should not have occurred, the AFP take this very seriously, and we take full responsibility for a breach in the Act. I also want to say there was no ill will, malice, or bad intent by the officers involved who breached the Act. Quite simply, it was a mistake that should not have happened."

Even if this truly was an accident, it highlights why mandatory data retention is so dangerous. That information will be accessed, and not always for good reasons. There's a reason why we don't allow law enforcement to search our stuff willy nilly without a warrant, and mandatory data retention completely flips this whole concept on its head for no good reason. Such information will almost always be abused -- and sometimes pretty damn quickly after it's available.

Filed Under: australia, data retention, isps, journalists, privacy, surveillance

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Anonymous Coward, 2 May 2017 @ 8:26pm

    I'm curious as to how a system that requires special warrants for a journalist is supposed to work.

    I mean, does an ISP know whether one of their customer accounts is a journalists account? Is there some magic account type that is flagged as a journalist account? When signing up for an account, is the customer expected to ask for a special journalist account? Or is it just some flag on that account that a journalist has to request the ISP to set?

    Or does the ISP, or some global registration body, keep some register somewhere of who is a journalist?

    What happens if a non-journalist then becomes a journalist (however that is defined), are they supposed to inform the ISP to get their account flagged? Or create a new special journalist account? Or register with some body?

    So, when am ISP receives a 'regular' warrant, are they supposed to first verify whether the target is a journalist or not? Are they on the register, have a special account or a flagged account, or do they have to do some sort of investigation first - google searches, contact the target and ask them, what?

    If there is no reasonable way for an ISP to know whether an account is a journalists account, then to them the warrant-type is pretty much irrelevant - they have a warrant, hand over the data.

    OK, so whether there is a way or not for the ISP to know whether the account is a journalists account, how is the requesting officer supposed to know? I mean, if they suspect some person of some crime where they want the browsing data - probably automatically requested for any suspect for any crime no matter what it is (mugging, auto-theft, assault, causing a public disturbance, public urination...) that data is there so why not get it - how do they know whether the suspect is a journalist?

    Again, is there some register kept, such that when they enter the name into the software that creates the warrant it automatically flags it as a journalists account for additional approval processes? Or do they have to specifically choose the "journalist metadata warrant" form type, therefore they already need to know so as to choose the right form?

    Or, before requesting any metadata warrant, ever, for anyone, are they supposed to do some sort of investigation first into whether the suspect is a journalist or not?

    I can see all sorts of problem with requiring any sort 'special' warrant for some specific class or classes of individuals.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.