Data retention laws the lesser evil

In The Australian today:
“There is plenty to criticise in the government’s handling of its proposed data retention laws. But the hysteria with which they have been greeted completely misses the point.”

About Henry Ergas

Henry Ergas is a columnist for The Australian newspaper and the inaugural Professor of Infrastructure Economics at the SMART Infrastructure Facility at the University of Wollongong. The SMART Infrastructure Facility is a $61.8 million world-class research and training centre concerned with integrated infrastructure solutions for the future. Henry is also Senior Economic Adviser to Deloitte Australia. Prior to these concurrent roles Henry worked as a consultant economist at NECG, CRA International and Concept Economics. Henry's previous career was as an economist at the OECD in Paris, where amongst other roles he headed the Secretary-General’s Task Force on Structural Adjustment and was Counsellor for Structural Policy in the Economics Department.
This entry was posted in Uncategorized. Bookmark the permalink.

54 Responses to Data retention laws the lesser evil

  1. Fleeced

    Sorry Henry, but the metadata for internet stuff contains a lot more information than those of mere phone records. To say it’s not that big a deal is simply technical ignorance.

  2. The sheer volume of metadata makes its use remote from the snooping powerfully portrayed in The Lives of Others

    This too is a fallacy intended to delude those easily awed by big numbers.

    The simple problem is this: The truth of this rationale rests on the disinterest of those investigating. As soon as interest is aroused — for whatever reason, be it intelligence, correlation with overarching searches, or political or personal vendetta — that mass of data just provides more information.

    It’s a more diverse version of what I do with my computational fluid dynamics to look at the flows over submarines. Using a finer grid to calculate the flows simply makes no difference to the overall results after a certain level is reached. After that, finer grids are solely about being able to study very small areas in a great deal of detail and with a great deal of context.

    There is no safety in scale of data, just more danger.

  3. Alfonso

    Oh my Henry, if you’re serious you’ll champion profiling as the fix.
    Saves 90% of the time and money. It works, but a surveillance State then has no excuse to include the whole population……which of course is the end game aim.

  4. Fleeced

    Oh, and this insistence that they only ever wanted the IP the user was assigned and nothing more is merely damage control and back-pedalling on part of the government. I don’t believe them, and even if I did, it is merely the thin end of the wedge.

  5. Tel

    Let us have published metadata for public servants then. Where they go, who they associate with, who sighn off on each expenditure. Just the metadata would be fine.

  6. egg_

    Sorry Henry, but the metadata for internet stuff contains a lot more information than those of mere phone records.

    Which is saying something, because mere phone records (ITU-T SS7) contain a lot of information, particularly cellphones, much to the chagrin of the FBI in the Moussaoui (911) trial.

  7. Tel

    Oh yeah, and the names and employers of every person who goes to a party fundraising event. That would also be useful… not what they talk about, we can guess what they talk about… just the metadata will be sufficient.

  8. .

    There is no hysteria about these proposed laws. They are simply wrong.

  9. Fleeced

    Nice idea, Tel.

    And a minute-by-minute GPS breakdown of every elected rep should be made public. Not what they were doing – just where they were.

  10. .

    There ought to be constant feeds of their cameraphone, laptop camera, social media, email accounts and SMS and MMS/app traffic. As well as credit card records and update pings based on face and voice recognition tech. Along with audio…

  11. Token

    There is no hysteria about these proposed laws. They are simply wrong.

    Are we able to get some real discussion here? Which part of Henry’s article are correct, and which are incorrect?

    I have read the document and see plenty of concerns which should be acknowledged. I agree the metadata will not just be flushed and agencies like the ATO & ASADA have a habit of getting their hands on such feeds when such acts are “reformed”.

  12. .

    No.

    Concerns about data retention are not hysterical in the first instance.

  13. Token

    I don’t believe anyone who just says “No”.

    It indicates a lack of understanding of the nuances.

    That is equally as bad a way to handle the discussion as the article Gerard Henderson posed on Saturday.

  14. Bruce of Newcastle

    The problem with what you are saying Henry is that it is a complete waste of time.

    Anyone who is doing stuff they don’t want the government to know about will be using an encrypted VPN service, so all that ASIS can see is one URL to the VPN service and nothing else. Since the service is overseas they won’t even get court ordered access to the metadata.

    The rest of us are the victims of this stupid idea, not the terrorists and criminals.

    And if the rest of us get pissed off enough we’ll all fork out for encrypted VPN too.

    The idea is dumb, completely utterly dumb.

  15. .

    Can I be anymore clearer?

    Concerns about data retention are not hysterical in the first instance.

    Ergo Henry is wrong and discussing “nuances” is on false premises.

  16. incoherent rambler

    Fleeced
    #1411903, posted on August 11, 2014 at 7:42 am

    Sorry Henry, but the metadata for internet stuff contains a lot more information than those of mere phone records. To say it’s not that big a deal is simply technical ignorance.

    100 % agree.

    Are we able to get some real discussion here?
    Token, fleeced probably does not have the time to educate you, I know I do not.

  17. TerjeP

    The metadata the rules would cover is a minuscule share of that a communications network generates. Along with the standard telephony information, it includes the IP addresses the network assigns users in the course of an online session, matched to the account details of the user to whom those addresses have been assigned. Although this is barely the tip of the metadata iceberg, it is vital in tracking traffic patterns and identifying the users that traffic involves.

    If Henry is right about this being all that is included, and if a warrant is required to access the information, then on both technical and privacy grounds I am unconcerned and I agree with Henry. Mapping an IP address to a user for a given point in time is little different to mapping a phone number to a user at a given point in time. Or a house address to a tenant or a rental car to a customer. And unlike something such as firearm registration (which I oppose for multiple reasons) the burden on the customer is close to zero and the burden on the ISP essentially a one off.

    On technical grounds the storage involved in this is tiny. Assuming an extreme case of a user that changes IP address every 1 second for two years then assuming IP4 addresses the storage required is 63MBytes. That is a tiny amount of storage and it is an extreme example anyway (often users only change IP address every few months).

    The privacy issue ought to be resolved with properly designed laws outlining the warrants required. Perhaps those laws would also require that the ISPs report annually on the number of warrant enquiries received and from which government authorities.

    From a purely libertarian point of view you could argue that the ISPs like the rest of us should not be subject to legal mandates. But the burden of compliance in this instance is likely to be minuscule.

    Of course if they want metadata beyond a simple time based map of IP addresses assigned to users then the story changes. So any legislation they bring forward really ought to be closely scrutinised.

  18. Senile Old Guy

    If Henry is right about this being all that is included…

    But he isn’t. The metadata for a tweet can include the content of that tweet and a whole lot more.

    Check the iiNet submission to the Senate.

  19. Token

    Token, fleeced probably does not have the time to educate you, I know I do not.

    In other words you have no intention of trying to win the argument.

    This seems to a common issue of late. People argue from authority but choose not to bring people along by providing a summary of the key issues / objections.

    Concerns about data retention are not hysterical in the first instance.

    Ergo Henry is wrong and discussing “nuances” is on false premises.

    Why?

  20. Token

    Thank you Terje for working through the topic & Senile Old Guy for providing the detail to allow me to better understand the issue.

  21. TerjeP

    Senile Old Guy,

    The iiNet submission to the senate inquiry does not tell us what is in the intended legislation. I don’t know if the intended legislation has even been drafted yet. The senate inquiry was a precursor to inform the discussion. But the tiny bit of metadata that Henry says the legislation will be limited to (IP address assigned to user at a give point in time) is consistent with what Malcolm Turnbull has said in the media.

    I can easily imagine metadata retention legislation that would be horrendously invasive and technically burdensome. But the words from Turnbull suggest otherwise. What else do we have to go on before the legislation is drafted?

  22. Senile Old Guy

    Token

    I think Henry is great on economic issues but less good when he wanders away from his area of expertise. I am not an expert on this issue but am well aware that the metadata is much more than we are being told it is.

    There is also a major problem — highlighted by the iiNet submission — that no-one in the government has clearly stated what would be retained or how it will be accessed and used. Abbott and Brandis simply do not seem to have a clue. Turnbull should be more knowledgeable on the technical issues but, so far, has failed to convince me that he actually is.

  23. egg_

    But the tiny bit of metadata that Henry says the legislation will be limited to (IP address assigned to user at a give point in time) is consistent with what Malcolm Turnbull has said in the media.

    It’s a public network, as Bruce has described; there is no privacy.
    Under current anti-terrorism laws, law enforcement agencies with warrants can surveil a citizen for up to 3 months at a time IIRC.
    The iinet submission above re the tweet data should give an idea of what can be conveyed and “drilled down to”, if required.
    It’s naive to assume that one is having a “private conversation” on a public network.
    The “Law Enforcement Liaison Units” of Telcos deal with all of the above information on a daily basis.

  24. If Henry is right about this being all that is included, …

    As I said, this was a backpedal being pushed by Turnbull after Brandis beclowned himself on Sky News. Once mandated, it will be easy enough for them to change requirements of what needs to be required… indeed, I’ll bet you that it will be structured so as to not even require parliamentary approval for such future changes. Care to wager?

    … and if a warrant is required to access the information,

    No, these are all warrantless searches. Even if it’s as basic as the above (IP address of user, and nothing more), it will unlikely be used against terrorists. Here’s another wager: the first person “caught” be such a law will be for pirating TV shows.

  25. egg_

    Here’s another wager: the first person “caught” be such a law will be for pirating TV shows.

    +1

  26. TerjeP

    Egg – Under current law and with an appropriate warrant they can go beyond metadata and look at content. But that is an existing power.

  27. mark

    One asks, how did authorities catch paedophiles across international borders if not for metadata?

  28. TerjeP

    Fleeced – you’re right to be paranoid about a slippery slope. I accept that is a real risk. At the end of the debate I may well be of the view that the legislation should be blocked. But the debate ought to be an informed one and until the proposed legislation is tabled it is hard to know what we are debating.

  29. Senile Old Guy

    Fleeced.

    No way I’m taking those bets; sure losers, both.

  30. Token

    Here’s another wager: the first person “caught” be such a law will be for pirating TV shows.

    I don’t agree.

    The good people at ASADA are know for their good faith with private data and are keen for the extra powers to prove their case against James Hird & Essendon.

  31. Alex Davidson

    The more I read Henry Ergas, to more he seems to be an apologist for big government. He claims that the metadata retention proposals are necessary to protect us from terrorism, and to avoid even more intrusive surveillance. But how often has a terrorist event occurred here, how likely is it, and how would it compare to other risks to our lives? And why wouldn’t this be another slippery slope?

    The proposal is nothing more than Bentham’s panopticon – using fear to increase the power of government over private citizens – and should be rejected outright.

  32. .

    Data retention can be abused and it is highly unlikely to help ASIO, ASIS or the AFP.

    There is no nuance to be discussed after this is established.

  33. egg_

    One asks, how did authorities catch paedophiles across international borders if not for metadata?

    Sit next to Tracey Spicer’s kid on a plane and you might just get your ‘net activity traced. /sarc

  34. egg_

    Egg – Under current law and with an appropriate warrant they can go beyond metadata and look at content. But that is an existing power.

    Precisely.

  35. johanna

    Some commenters are conflating two separate issues – surveillance of targets using a warrant (which is currently legal anyway) and collecting everyone’s personal communications data in case it is wanted later. That is the government opening and copying all your snail mail in case they want to check you out down the track. And, don’t give me the “it’s just the envelope” thing, because as has been pointed out, this kind of data provides much more information that just the address on an envelope.

    I agree with Fleeced and others that it is not just the security services who want this. Copyright parasites, local councils, the police and who knows what other busybodies would love to use this for their own ends. And anyone who thinks that it won’t happen just hasn’t been paying attention to what happens to any information that governments collect about us. Over time, someone suggests that this or that other tremendously important and desirable objective could be attained with just a wee bit of database linking. You don’t think the ATO would love to get their mitts on it, for example?

    Henry is Da Man when it comes to economics, but woefully naive in other respects.

  36. johanna

    Oh, and forgot to mention that turning private companies (ISPs) into snoops, in violation of every privacy principle that is used to prevent citizens from perfectly innocent activities – like closing down the accounts of a deceased relative – is thrown to the winds in the process.

    ISPs, like other companies, are required to co-operate with law enforcement agncies in very specific circumstances. They should not become the arm of an omniscient State which claims the right to invade the privacy of every single person’s communications just in case.

  37. struth

    Anyone arguing for this should hang their head in shame.
    what is the reason for it?
    Who caused the problem?
    Are the goverments policies on immigration still the same?
    If they are the same, then they’re not trying to solve the problem and this is just a pissweak government bending over for an incompetent and power hungry bureaucrat or two.

  38. Adam D

    After the IRS issues in the states it’s surprising to see this even discussed here. I sure as he’ll don’t want any powers without warrants given to the current liberal government and the public service cronies. I dare not imagine what labor or the greens would do with such powers.

    The argument for the changes, I.e Muslim terrorists (is there any other kind?) has been almost non existent, I am not sure how exactly invasive internet data without warrants will stop a terrorist attack

  39. notafan

    ASIS can see is one URL to the VPN service and nothing else.

    wouldn’t that be a red flag?
    I’m not concerned about twitter, it’s public domain anyhow so there isn’t a privacy issue and quite frankly with the way IS (IS) use it to post atrocity photos and threats I hope they can find who is doing it.
    The ATO have monitored imappropriate staff usage of data for years. I remember one case where a women was prosecuted for looking at Wayne Carey’s info. The ATO probably would like more info though, much cheaper that old school audits.
    And I do wonder who looks at the people doing the monitoring.

  40. After the IRS issues in the states it’s surprising to see this even discussed here. I sure as he’ll don’t want any powers without warrants given to the current liberal government and the public service cronies. I dare not imagine what labor or the greens would do with such powers.

    +100

  41. egg_

    ASIS can see is one URL to the VPN service and nothing else.

    wouldn’t that be a red flag?

    Likely quite common as it’s often used to overcome Geo-blocking of e.g. Netflix and Amazon, even ‘The Checkout” (Chaser) Boyz/Choice magazine were promoting its use.

  42. MemoryVault

    I’m confused. Maybe one of the more technically literate Cats an help me.

    The grubbermint ses it needs this information to help identify, monitor, and track the web activities of potential terrorists.

    The grubbermint ses they are not invading my privacy cos the information gathered can’t be used to identify, monitor, or track my web activities.

    Now to my old befuddled mind it seems that either one of these claims has to be wrong, or potential terrorists must have special identifier built into their metadata so they can be distinguished from the rest of us law-abiding citizens.

    Which is it?

  43. Senile Old Guy

    Australia’s privacy watchdog Timothy Pilgrim has warned that indiscriminate metadata collection would place personal information at risk of privacy breaches.

    Under the presently broad and opaque proposal, telcos could be required to at least hold data on Australians that would link them to their internet protocol addresses in a move aimed to help law enforcement nail lengthy investigations.

    That collected data might be considered to be personally identifiable, and therefore place the holders of it — be it government agencies or telcos — at risk of breaching the national Privacy Act, Pilgrim said in a statement.

    “At this stage, it is unclear exactly what type of information would be retained,” Pilgrim said.

    “However, there is the potential for the retention of large amounts of data to contain or reveal a great deal of information about people’s private lives, and that this data could be considered ‘personal information’ under the Privacy Act.

    “The retention of large amounts of personal information for an extended period of time increases the risk of a data breach. Organisations holding this information need to comply with all their obligations under the Privacy Act, including the requirements to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure.”

  44. TerjeP

    Memoryvault,

    You are an ASIO dude and you arrest a terrorist and take his computer. You find he logs into Server X on a regular basis to swap files with other bad guys. You get a warrant and covertly take over Server X. Log files on Server X show connections periodically originating from a number of computers around the country but the logs only identified those computers by IP address. You would like to know who was using those IP addresses at the time of the connection? Should you be able to know the answer?

  45. Senile Old Guy

    You get a warrant and covertly take over Server X.

    If you covertly take over Server X, I think you could collect pretty much whatever you wanted from the data coming into the server.

  46. You would like to know who was using those IP addresses at the time of the connection? Should you be able to know the answer?

    A new warrant should be required in each case. Of course, since the records are owned by private companies, they may be willing to provide the necessary information without one (though they may want to invoice the agency if it takes time to dig it out). However, companies should not be compelled to keep records “just in case” some government agency wants to take a peek, and said agencies shouldn’t be able to take a peek at what they do have without either their permission or a warrant.

  47. johanna

    Fleeced, that is one of the big problems I have. There are many ISPs – they rise, they fall, they are swallowed up by larger companies. They are not security experts. Their staff could be anyone at all.

    What is being proposed is essentially sub-contracting out security measures to these companies – who will not even be paid for it. So, they will pass on the costs to the customers that they are collecting data about (fair enough) without any quality control measures or security checks (why should they?) and so on. To describe it as sloppy and insecure is putting it mildly. Meanwhile, details of our personal communications, reading and interests are now the property of the State.

    Disgraceful.

  48. oldsalt

    Michael Rubin’s take on the US legislation affecting travellers. link

  49. .

    What is being proposed is essentially sub-contracting out security measures to these companies – who will not even be paid for it.

    This may mean the law could be invalid – just compensation, civilian conscription etc.

  50. Tel

    It’s a public network, as Bruce has described; there is no privacy.

    The Internet is almost entirely privately owned, even the governance is private, and most of the Intellectual Property is privately owned as well.

  51. Tel

    The more I read Henry Ergas, to more he seems to be an apologist for big government.

    Well it would be very interesting to get some metadata on how many government advertising contracts go to which newspapers and who gives approval.

    Murdoch and big business in general, don’t tend to agitate for change too much, because there’s no profit in it, and government can be vindictive (just ask Gina about vindictive treasurers, ask the Tea Party groups about a vindictive IRS). Besides, a nice captive regulator is bloody handy for weeding out the competitive small businesses that do nibble those profits.

  52. Tel

    The iiNet submission to the senate inquiry does not tell us what is in the intended legislation. I don’t know if the intended legislation has even been drafted yet. The senate inquiry was a precursor to inform the discussion.

    So how can Henry claim “the lesser evil” based on having no workable comparison as to the type of evil we are even dealing with here?

    Let’s make a practical comparison of how much safer from terrorists we will be with this legislation, as compared with how much more at risk we are after our recent military adventures have destabilised most of the Middle East.

  53. johanna

    Tel, claiming that Henry is a stooge is a bridge too far. Way, way too far.

Comments are closed.